State of Cybercrime

Ivanti Zero-Days

Episode Summary

CISA issued an emergency directive to mitigate Ivanti Connect Secure and Ivanti Policy Secure vulnerabilities after learning of malware targeting the software company, allowing unauthenticated threat actors to access Ivanti VPNs and steal sensitive data. Join Matt, David, and Dvir to learn more about the Ivanti vuln and other cyber threats.

Episode Notes

CISA issued an emergency directive to mitigate Ivanti Connect Secure and Ivanti Policy Secure vulnerabilities after learning of malware targeting the software company, allowing unauthenticated threat actors to access Ivanti VPNs and steal sensitive data. 

CISA is requiring all federal agencies to disconnect from affected Ivanti products by EOD February 2, 2024. The directive also warned that attackers had bypassed workarounds for current resolutions and detection methods. 

Join Matt, David, and Dvir to learn more about the Ivanti vuln and other cyber threats. 

OTHER BREAKING STORIES WE'LL COVER: 

• The latest ChatGPT news 

• Deepfakes… err breachfakes 

• Cloudflare's breach by suspected nation-state attacker 

• "Frog4Shell" spreading malware inside your network 

And more! 

 

More from Varonis ⬇️ Visit our website: https://www.varonis.com LinkedIn: https://www.linkedin.com/company/varonis X/Twitter: https://twitter.com/varonis Instagram: https://www.instagram.com/varonislife/

Episode Transcription

[00:00:00]

Matt Radolec: Hello, everybody, and welcome to another episode of State of Cybercrime. It is so exciting to be here today. My name is Matt Radolec, one of our hosts. I'm joined today by two of my esteemed colleagues from Varonis, co host David Gibson. Want to say hello, David? 

David Gibson: Hello. How are you doing, everybody? Hey, Matt.

Hey, Dvir. 

Matt Radolec: And yeah, we're also joined by a celebrity guest star from Varonis Threat Labs. Dvir, want to say hi, Dvir? 

Dvir Sason: Hi. Good morning. How's everyone? 

Matt Radolec: Awesome to be here today. Now, we always like to kick things [00:01:00] off with the icebreaker. Today I'm dialing in remotely from my home in Maryland.

What about you guys? 

David Gibson: I am in Connecticut. 

Dvir Sason: I'm in Tel Aviv. 

Matt Radolec: Hello from Maryland, Connecticut, and Tel Aviv. We'll see where some of our audience members are joining us from. We got Jersey City, Ohoho, New Mexico, Missouri, Phoenix, London, Liverpool, Austin, Wexford, San Diego, Richmond, Colorado, Delaware. It's pouring in.

Amsterdam, Salt Lake City, Houston, Texas. Can't keep up with them all. We thank you guys so much for tuning in today. 

Let's crack right into it. So we'll go through our usual segments today. We'll talk about whether or not there's any good news. We'll cover the happenings with AI. We'll jump on into the danger zone and talk about a couple of breaches you should be aware of.

We'll cover those vulnerable vulnerabilities, especially that zero day from Avanti, as well as make time, always make time at the end for Q& A from our audience. Feel free to use the chat or the Q& A throughout the show today and we'll do our best to respond.

[00:02:00] We always like to kick off the show by covering good news in cybersecurity, because oftentimes it's all doom and gloom. You hear about hacks, you hear about breaches, you hear about victims of various different types of cybercrime, and there is a lot of good news happening out there. In fact, I actually think we have a record number of good news stories today with three and a half, I'll say.

And I'll give you guys a teaser for something that we'll talk about later. 

Operation Ghost Town was an operation conducted by U. S. federal authorities that led to the successful takedown of a KV botnet from a KVM seller, which was a China linked VPN network who allegedly targeted small office and home office routers by providing reliable server hosting, RDP tools and VPNs to cybercriminals to conduct malicious activities.

Now this is another blow to cybercrime and hopefully sends a message that U. S. law enforcement will take down even the third party providers of [00:03:00] cybercriminals. 

David Gibson: Yeah, and, I thought this was interesting that the targeting of the SOHO routers. I was curious from our listeners, how many people actually use the router that comes with their internet provider?

Or do you replace it? Do you have another firewall behind that or do you just use what the internet provider gives you? 

Matt Radolec: Or you just plug it directly into the modem. 

David Gibson: I'm curious if people want to chat in what they do.

Matt Radolec: We got PFSense, Ordinet, Firewall, Purchasing My Own. PFSense is making a stay here, looks like it excites you. And for people that don't know what that is, Dvir, you want to tell people what PFSense is? 

Dvir Sason: PFSense is quite an awesome product, an open source product for running your own type of gateway with IDS, IPS. And again, protecting your network on the gateway level. 

There is also OPNSense, which is a combination between PFSense and Onion Security and raw, allowing you to have a [00:04:00] streamlined solution as an open source running Linux and yeah, simple as that..

Matt Radolec: Open source solution for homed events, and sounds like a few of our audience members are leveraging that.

Now, David, there was some crypto good news as well, if you wanted to tell our audience about that. 

David Gibson: Yeah, it's pretty interesting. We've had a couple of folks that were doing SIM swapping, which we should probably explain what that is. First guy is aptly named Daniel James Junk. And he got caught in April, it looks like, from what I read and he kept on doing his thing, and so was arrested again and has been sentenced. 

But SIM swapping, as I understand it, there are a couple ways. You can do a physical SIM swap, right? Take somebody's phone and then put in a different SIM there. But I think the way that they were doing it in this attack was actually to con a Verizon or an AT& into switching your number, right?

Yeah, the SIM testing. 

Matt Radolec: A couple of our audience have already chimed in that most people [00:05:00] don't even have that physical SIM anymore. I remember, I think it was maybe 10, 15 years ago, people were talking about how if you're at the bar and someone grabs your phone, they could swap your SIM card real quick and Venmo someone else, but I think largely that's been done away with.

David Gibson: Yeah, but anyway, once you get somebody, control of somebody's number with the SIM swap, then all of the stuff that uses your phone for MFA becomes then, not secure so he wasn't the only one that was busted for this. Florida man was also involved in this this guy Sosa, or he had an alias King Bob, was also arrested for this recently and the one interesting thing I learned from reading about this arrest was that in addition to stealing money and data, he also liked to collect unreleased recordings of rap songs, which are called Brails.

I've never heard of this, but apparently they can sell for 5 to 25k a track. Wow. Yeah, gave me some new ideas for my musical direction. 

Matt Radolec: And like we said before, record breaking three good news stories today. The Department of Justice arrested two suspects [00:06:00] in the hacking of more than 68, 000 DraftKings accounts, from hacks that dated all the way back to November of 2022.

DraftKings has refunded some number of hundreds of thousands of dollars to those nearly 68, 000 affected customers, and three parties were named, two of which were responsible for actually hacking the accounts, and then one person, which is who they sold the accounts to, and how they cashed out is they sent instructions to buyers or bettors, and telling them to add a new payment method and deposit 5. And then what would happen is they would then withdraw all the funds. Now, along with this news, hearing about what happened to DraftKings, another important thing to note is that the FBI has actually warned of more credential stuffing attacks on the horizon.

We covered one in our last episode around who's responsible in a credential stuffing attack. Is it the provider or is it the users? And the FBI warned that both FanDuel and Chick fil A are being targeted for credential stuffing attacks. 

David Gibson: It's two very different organizations [00:07:00] there, I would say, right?

Matt Radolec: Yeah, different motivations. Please don't come after the Nuggies, though. 

We kicked off a new segment, AI VEY, because, nobody's tired of hearing about AI. And you're probably all saying, oh, VEY to yourselves. We do have an interesting story to cover here. It's something that happened in Italy, if I want to remember correctly, David. 

David Gibson: Yeah, it looks like the data protection authority in Italy which is called Garante, I believe, if I'm saying that correctly, has found ChatGPT, they've actually been going back and forth for a while. They had a first suit last year. They said you're violating multiple articles of the GDPR, more recently they've re upped, and I think, it's raising some interesting questions, like who gave them the permission to scrape the internet, which does include personal data, and I think that the harm that it's calling out is that messages and payment information have been exposed.

And they're also talking about how ChatGPT [00:08:00] doesn't have a system to verify ages of users. Kids can ask questions and get answers that may not be appropriate for them. So I think it's going to be, it's an interesting tactic to take and some really tough questions, when people put data out on the internet, did they intend for an AI to be able to mine it?

I'm curious what folks think on this one. 

Matt Radolec: And all I have to say is, 

Niente piu robo per te. 

No robots for you, translated into Italian. 

And every episode when we're trying to find out things that are happening in AI and what we want to cover with you, it seems like every single week it's someone had some data spill in an unintended way due to the AI having too much access to too much information. So if there's one theme, and there were only two segments into the year so far, it's to think about the data that you're giving to AI as the data set to train it on, as it might just use it in a response.

David Gibson: Absolutely. 

Matt Radolec: Now, in our next segment, we'll cover some of the dangerous happenings that are going on in [00:09:00] cybersecurity, like big breaches and things that you should know. Now, one of the things that I thought was really interesting is the rise of this kind of fake breach, right? First, we had deep fakes where people who were impersonating other people.

And now we've got hackers purportedly putting out fake data and saying that they breached an organization. At least that's what looks to be the case after Europcar denies claims that a threat actor offered to sell data on 50 million of their customers on a hacking forum. And what Europcar is saying is that, to them at least, it's clear that artificial intelligence Was used due to some inconsistencies and some mismatches in the dataset.

On the other hand though, Troy Hunt doesn't necessarily think that might be the case. Not saying that the data's fake or real, but that AI usually produces more consistent results than what's found in this dataset. Like lots of non-existent usernames and non-existent addresses. And so when David and I were prepping for the show today I was just asking ChatGPT myself generate me a list [00:10:00] of usernames and fake addresses, and I got it back. So it's hard to say was this data made by AI? Is it real and just not a cleaned up database? Was it completely fabricated by the attackers? Because one thing's for sure, EuropCar is not the only one to cry fake breach.

Ars Technica did as well. And so I guess, only time's going to tell who the real hackers are and who the real victims are. But I think one thing is for sure. We know all attacks, fake or not, are going after data. 

David Gibson: Yeah, absolutely. And I have to give whatever Troy says a good look because he's he's usually right about a lot of stuff.

It's interesting in this one, but it's going to be really hard to tell as AI gets better. I think it's going to be very hard to tell a real breach from a fake

Matt Radolec: breach.

Now, that wasn't the only dangerous things going on. I feel like we talk about Log4Shell either every episode or every other episode since about 2021.

What's happening with FritzFrog? 

David Gibson: We have a Frog4Shell now, right? So even better. This if I'm understanding this correctly, there were a lot of Log4Shell instances internal to environments that [00:11:00] were not patched. And the initial scramble was to make sure that we patched everything that was externally facing and got that vulnerability You know, mitigate it to some extent, but I think a lot of people, maybe deprioritize patching the internal server.

So we've got some new malware that looks for vulnerable Log4j instances inside and then uses that to install a new rootkit, I think it was HomeKit is what gets installed there. If Frog4shell finds a vulnerable server internally once something lands. 

Matt Radolec: Got it. Now, I've got a frog one for you, David.

And our audience can participate in this one, too. How deep can a frog swim?

Anybody want to guess? I got it. Are you guys ready? Knee deep, knee deep, knee deep, Knee deep. That was a knee deep incident right there. 

David Gibson: You got me, man. That sounds right up my alley. 

Matt Radolec: Let's think back to what we were doing on Thanksgiving Day, 2023. Because for Cloudflare, it [00:12:00] wasn't necessarily the best day, although maybe this is good news. We'll let you guys decide.

There was a threat actor that was detected on Cloudflare's Atlassian server, and it looks like they took a pretty near immediate response and assured their customers that no data was impacted. Round or about November 15th threat actors gained initial access to Cloudflare's Okta targeting IT and application employees for user compromise after landing at Okta they use that to pivot to script runner for Jira, which would allow them to gain lateral movement, gain additional access in the environment. Somewhere along the way though, they got picked up by, by CrowdStrike and they. They put their CodeRed security response training into action.

What happened there is they rotated thousands of credentials, removed command and control channels, and rebooted machines. And so this makes me think that this is really a good news story, because data wasn't impacted, but also because it looks like that they've prepared for this moment. Makes me want to ask our audience a question, how many orgs that are [00:13:00] attending today have some type of CodeRed or some type of major incident response plan in that they've at least practiced or written down on paper that if something like what happened to CloudFlare happened to you, you'd be able to rotate 5000 credentials and remove command and control servers and reboot machines in as little as an evening.

David Gibson: That's pretty impressive. I can see why this might be the half good news.

Matt Radolec: It's the half good news, right? Because they had an event, but they are being pretty transparent about it, and it seems like no customer data was impacted. 

David Gibson: Yeah, and if data isn't breached it's, it's hard to say there was lasting damage there.

It's like if you're going to anticipate somebody's going to get phished, an account is going to get compromised, They're going to have a vulnerable server that's internet facing. This is what's next, how do you detect it, make sure you can stop it before data is accessed.

Matt Radolec: Now, you guys might be wondering, why did we bring the head of Varonis Threat Labs, our threat research arm, today? It's to talk about [00:14:00] vulnerability and a technology called Ivanti. Dvir, do you want to tell us about what's going on here and why this has surfaced up? 

Dvir Sason: Sure thing. Ivanti is quite a large vendor being able to basically, Having different sorts of products from MDM, mobile device management, and VPNs and whatnot.

And Ivanti has been targeted for quite a while in the sense of different vulnerabilities being found on their own platforms. Now with regards to Threat Actors that target specific platforms, we've seen it all the time. We've seen like Citrix VPN being targeted continuously, and Citrix releasing new patches and whatnot.

And we need to remember that from these core components of organizations, from MDM and VPNs, Threat Actors are able to pivot into the organization and perform lateral movement. And this is exactly what we saw over here. Through a game of whack a mole, Threat Actors, specifically [00:15:00] unknown and uncategorized 5.

2. 2. 1 channeling Threat Actors, started exploiting Ivanti VPN in the wild, while not only exploiting it for quite a while, but also bypassing the mitigations that were employed by Ivanti itself. which is again, a game of whack a mole, because it shows the persistency of that specific group, showing value in targeting that specific platform, and continuously abusing and trying to get access to it.

Now, basically, by trying to chain several vulnerabilities together, they were able not only to control that specific appliance, but to pivot inside the organization. Like using, of course, scripts, but also to impact it in a very short time. 

Matt Radolec: And, Dvir, just a quick shout out to, I think it was Google owned Mandiant that originally broke the news about that.[00:16:00]

And you wanted to tell people a little bit more about how it works. 

Dvir Sason: Exactly. With regards to SSRF. SSRF is server side request forgery. It's like making a service work for you, being controlled remotely, but without being able to fully send commands. It's not like you're running your terminal and you send your commands and that's it, you're in full control.

It's like semi control in that sense. So with regards to the main vulnerabilities that were used. It seems that Ivanti used a specific, vulnerable XML library to parse XML files, and in that sense The threat actors were able to send a crafted payload. In that sense of hey front end, please go to the back end and send that command.

So that's how SSRF works. Basically, telling the front end, the part that you communicate with, to go to the back end, to the real server side, and [00:17:00] perform commands or actions on your behalf. Now, chained together and going into One level above the threat actors were able to craft a specific payload to not only perform actions from the front end to the back end, but also tell the back end to connect back to the threat actor.

And this is exactly what we see over here. The payload is actually a Python script obfuscated in a very unsophisticated payload within an XML file, and you can see on the terminal from the left, a CURL command saying here's the path I'm trying to access with, and posting that specific data.

And from that moment on, not only the back end actually connects back to the attackers, it's running on root, and this is exactly what you can see on the right terminal. Now, from that moment on, the Threat Actors, the Chinese linked threat group, was attempting to exploit a mass amount of machines worldwide and of course, exploit [00:18:00] The most, I think, the fastest way to exploit an Active Directory.

Back in 2021, there was a very unsophisticated payload that allowed a threat actor to gain full domain admin privileges by simply adding a new machine account to the organization and impersonating as a DC. And that caused a KDC confusion, that's something that was patched, and if any organization was indeed vulnerable to that, and of course the event vulnerabilities, they were compromised in seconds.

And currently there's a huge effort by threat actors worldwide, to target and compromise Ivanti machines, so much that not only Ivanti has been working tirelessly to release mitigations and patches and whatnot, but also CISA, as we're all aware, we released a bulletin that is something that, personally speaking, as a professional, I haven't seen for quite a while, I think even ever, to immediately disconnect [00:19:00] any Ivanti appliances from federal agencies being used.

That's how I think, critical CISA sees that. In terms of Ivanti's. 

Matt Radolec: Yeah, and Dvir, if I could just interrupt for a second, I just want to emphasize for our audience a point you just made. It's so rare that we see an emergency directive get issued by CISA, and for an emergency directive to get issued, and I think it was Friday morning, that by the end of the day Friday, you must disconnect all Ivanti products, it sounds like a SolarWinds level type of a response. 

Absolutely. Absolutely. 

We have an old breach here, but I remember organizations thinking about having to unplug their network management appliances back in 2019 or 2020. And now we're seeing the CISA tell federal agencies not to do it.

And where are we today? I believe that the patches were released, but they're found to not be sufficient in fixing it. 

Dvir Sason: Exactly. So I can tell you from my personal standpoint point of view. We're [00:20:00] working closely with the Israeli National CERT, and for my colleagues, the amount of phone calls that he got for the past three weeks to patch and continuously patch, and not only to patch it seems that the patches were useless, and there were bulletins also over here in Israel that mitigations are currently not working well.

I believe that the latest mitigation was in fact, valid, but I think Based on everything that's going on, that's a very rare case of immediately disconnect everything, do not use that until solution is found. I think that is just insane, and I haven't seen that. In my career, to be honest.

Matt Radolec: Yeah, Same. And we got one, one question that came in from one of our audience members, which was they believe Ivanti advised to do a full reset on the devices before applying the patches as well, right? 

Dvir Sason: Yeah, that's correct. And that's due to the fact that CISA believed that Threat Actors were, in fact controlling that appliance.

And the recommendation was to hunt for any [00:21:00] IOCs, for any specific files or web shells being used by the threat actors by this Chinese link group, specifically allowing them to maintain control of the appliance even after the patch itself. Now it is what it is a full reset and of course, apply patches 

Matt Radolec: and whatnot.

Wow. 

Stay tuned. I'm sure we'll have more to say about Avanti and the fallout from this Zero Day in the weeks to come. 

Another question came in from Charles. Wasn't the initial attack or the foot in the door via an insecure API? Yes, that's correct. 

Dvir Sason: In couple of the vulnerabilities themselves there was a bypass to the authentication mechanism allowing to access the API directly. I think we saw it with other vendors as well in the past that certain APIs were not protected as well and allowing threat actors to remotely control them or send commands. Yeah, thanks 

Matt Radolec: And I don't see any other questions from our audience yet. We'll just give you guys another 30 seconds or so to answer that poll and [00:22:00] ask us anything that you guys might want to.

Otherwise, we'll wrap things up with the usual thanks for being here. State of Cybercrime is made possible by you, our audience, as well as you, David, Dvir, and all of our production teams. So thanks production team and co hosts. We really appreciate you being here today and tuning in to another episode of State of Cybercrime.

Thank you so much. 

David Gibson: Thanks everybody.

.