Kevin Beaumont

PAM provider Delinea, aka Thycotic, had a quiet 5 hour long disruption due to a security incident.

They now have maintenance running for their Secret Server product.

“An endpoint containing a security concern has been identified.”

HT to @matdef

#threatintel

Apr 13, 2024 at 8:51amWeb
Show threadKevin BeaumontApr 13, 2024
The So What is Delinea Secret Server holds user and system account credentials for orgs, it’s like CyberArk.
Show threadKevin BeaumontApr 13, 2024

Delinea have published IoCs for a security incident in Delinea Secret Server Cloud aka Thycotic. It’s behind a paywall. It’s a vulnerability in their SOAP implementation. No CVE has been assigned, presumably because cloud service. #threatintel

https://support.delinea.com/s/article/KB-010572-How-do-I-remediate-Secret-Server-in-reference-to-the-Secret-Server-SOAP-vulnerability

Show threadKevin BeaumontApr 13, 2024

Oh boy. Apparently things are not good at Delinea around Thycotic. I just checked and the cloud version appears to be patched for this - after security incident.

https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3

#threatintel

“All Your Secrets Are Belong To Us” — A Delinea Secret Server AuthN/AuthZ Bypass

Delinea Secret Server is a privileged access management (PAM) solution that helps organizations secure, manage, and monitor privileged accounts and access across their IT infrastructure. Accessing…

Medium
Show threadIan Towner Apr 13, 2024
@GossiTheDog not the sort of response you want from a PAM vendor…or any vendor tbh! Question is was it already being exploited…
Show threadfaebudoApr 13, 2024
@GossiTheDog Just.. ouch..
Show threadRené ☀️ Hoffmann Apr 14, 2024
@GossiTheDog The way, they handled the disclosure, was not very trustworthy, imho.
Show threadKevin JonesApr 13, 2024
@GossiTheDog wonder if it's related to https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3
“All Your Secrets Are Belong To Us” — A Delinea Secret Server AuthN/AuthZ Bypass

Delinea Secret Server is a privileged access management (PAM) solution that helps organizations secure, manage, and monitor privileged accounts and access across their IT infrastructure. Accessing…

Medium
Show threadÉmilio GonzalezApr 13, 2024
@GossiTheDog not affecting on-prem?
Show threadMatDefApr 13, 2024

@res260 @GossiTheDog On prem is affected: https://support.delinea.com/s/article/KB-010572-How-do-I-remediate-Secret-Server-in-reference-to-the-Secret-Server-SOAP-vulnerability

Edit: just realized that it's the same link as above, but can confirm that it contains mitigation instructions.

Show threadfaebudoApr 13, 2024
@matdef @res260 @GossiTheDog
There is some information in their "trust" center: https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3
Show threadQuentynApr 14, 2024
@GossiTheDog they dont also appear to be a CNA so unless they ask Mitre they cant issue a CVE themselves https://www.cve.org/PartnerInformation/ListofPartners
CVE Website

Show threadParade du Grotesque 💀Apr 13, 2024

@GossiTheDog

Noice. Not worrying at all, this one.

Show threadAlfaj0rApr 13, 2024
@GossiTheDog this is well timed… trying to get my Org out of SecretServer and into 1Password or BitWarden.
Show threadNobody ImportantApr 13, 2024
@GossiTheDog @matdef ‘Thycotic’ sounds like Sylvester Pussycat describing his mental health status.