Veeam Backup and Replication CVE-2023-27532 Deep Dive
Introduction Veeam has recently released an advisory for CVE-2023-27532 for Veeam Backup and Replication which allows an unauthenticated user with access to the Veeam backup service (TCP 9401 by default) to request cleartext credentials. Others, including Huntress,...
Silicon Valley Bank (SVB) Failure Could Signal a Rise in Business E-mail Compromise (BEC)
On 10 March, Silicon Valley Bank (SVB) – a popular institution for the venture capital community in the Bay area – failed when venture capitalists (VCs) quickly started to pull money out of the 40-year-old bank, causing federal regulators to step in and shut its doors before more damage could be done. These are the perfect conditions for threat actors to steal several million dollars (and perhaps much more!).
From CVE-2022-33679 to Unauthenticated Kerberoasting
On September 13, 2022, a new Kerberos vulnerability was published on the Microsoft Security Response Center's security site. It's labeled as a Windows Kerberos Elevation of Privilege vulnerability and given the CVE ID CVE-2022-33679. The MSRC page acknowledges James...
Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs
Introduction On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write...
Journey to Secure
A series following Horizon3.ai teammate Brian Marr’s “journey to secure” – detailing the logic and items that he uses to understand the business, current security state, and leadership visions for building an internal security program.
Chaining and Reusing Credentials
Attackers don’t need to hack in – they log in. This is why we believe Credentials are the new RCE.
VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive
Introduction The recent VMware VMSA describes four new CVEs affecting VMware vRealize Log Insight, reported by ZDI. Three of these CVEs can be combined to give an attacker remote code execution as root. This vulnerability is exploitable in the default configuration...
VMware vRealize Log Insight VMSA-2023-0001 IOCs
Introduction The recent VMware VMSA describes four new CVEs affecting VMware vRealize Log Insight. Three of these CVEs can be combined to give an attacker remote code execution as root. This vulnerability is exploitable in the default configuration for VMware vRealize...
ManageEngine CVE-2022-47966 Technical Deep Dive
Introduction On January 10, 2023, ManageEngine released a security advisory for CVE-2022-47966 (discovered by Khoadha of Viettel Cyber Security) affecting a wide range of products. The vulnerability allows an attacker to gain remote code execution by issuing a HTTP...
ManageEngine CVE-2022-47966 IOCs
Introduction The recent ManageEngine CVE-2022-47966 is a pre-authentication remote code execution vulnerability. Depending on the specific ManageEngine product, this vulnerability is exploitable if SAML single-sign-on is enabled or has ever been enabled. ManageEngine...
Insight – Horizon3.ai Annual Review Snapshot 2022
Over the past year, Horizon3.ai pentests revealed cybersecurity vulnerability trends across multiple industry sectors around the globe.
Get the Most From TrendMicro Apex One EDR with NodeZero
Learn how you can use NodeZero to get the Most From TrendMicro Apex One EDR, ensuring you stop, alert, log, and detect activity by bad actors.
Metrics That Matter: An Attacker’s Perspective on Assessing Password Policy
After compromising a Windows domain controller, one of the actions that NodeZero, our autonomous pentest product, performs is dumping all domain user password hashes from the Active Directory database. This is a common attacker technique, and the resulting dump is highly valuable to attackers. But did you know that this data is a great source of insight for defenders too?
Holiday Season Threat Awareness
As we approach the holiday season, it is important that our customers remain stay and continue a regular cadence of autonomous pentests. Although it’s the time of year for holiday cheer, we’ve seen cyber threat actors (CTAs) take advantage of lackadaisical company manning and low staff.
Verifying Credentialed Access to Your Hybrid Cloud Sprawl Matters More Than Ever
Verifying credentialed access to your hybrid cloud sprawl matters more than ever. See example attack paths to understand risks to AWS cloud.
OpenSSL Critical Vulnerability: Should You Be Spooked?
On Tuesday, October 25 a new OpenSSL hot-fix release was announced which will patch a critical vulnerability that exists within the v3.0.X branch. OpenSSL 3.0.7 will be released on Tuesday, November 1 and in tandem the details of the vulnerability and its associated...
The Undeniable Effectiveness of Password Spray
One of the most effective techniques NodeZero employs for initial access is password spray. It's a primitive technique, basically guessing passwords, and when it works it feels like magic. Yet we see it work time and time again in various pentests conducted by...
Secure Your Fortinet Appliances Across On-Prem, Cloud, and Hybrid Networks at Scale
Learn how to use NodeZero from Horizon3.ai to secure your Fortinet appliances across on-prem, cloud, and hybrid networks at scale.
FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)
Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiProxySwitchManager projects (CVE-2022-40684). This vulnerability gives an attacker the ability to login as an administrator on the effected system. To demonstrate the vulnerability in this writeup, we will be using FortiOS version 7.2.1
What is Zero Trust – and How NodeZero Can Help
Zero Trust. Everyone’s talking about it, but what does it truly mean, and how can you prove that your organization is using a Zero Trust model effectively?
FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass IOCs (CVE-2022-40684)
Introduction The recent FortiOS / FortiProxy / FortiSwitchManager CVE has been reportedly exploited in the wild. We would like to provide additional insight into the vulnerability so users can begin to determine if they have been compromised. In this post we discuss...
Are Your Kubernetes Clusters Configured Properly?
Researchers recently discovered some 900,000 Kubernetes clusters that were potentially exposed to malicious scans and data theft during a threat-hunting exercise.
An International Look at Cybercrime
Authoritarian regimes have learned in recent years that cybercrime can be a profitable economic enterprise – so much so that they continue to invest substantial resources in large- and small-scale cybercrime.
Beyond Password Issues: How NodeZero Found Access to an Organization’s Azure Cloud Environment
NodeZero is a generational leap beyond a traditional pentest – organizations often see that for themselves from the moment they give our autonomous pentesting platform a shot. NodeZero surfaces risks and weaknesses that would never have come up during a general...
One Weak Password Leads to Compromise
NodeZero, discovered a customer’s host that had not appeared in previous pentests due to a small change in their configuration.
The Long Tail of Log4Shell Exploitation
It’s been more than six months since the Log4Shell vulnerability (CVE-2021-44228) was disclosed, and a number of post-mortems have come out talking about lessons learned and ways to prevent the next Log4Shell-type event from happening.
CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus
CVE-2022-28219 is an unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory. The vulnerability comprises several issues: untrusted Java deserialization,...
What Upcoming State Data Privacy Laws Mean for Businesses
A new privacy study has found that 60% of states are moving toward new privacy laws. Implementation at the state level is slow.