Paul Rascagneres

@[email protected]
1.6K Followers
561 Following
336 Posts
Lord of Loaders @volexity
Websitehttp://www.r00ted.com
Paul RascagneresJan 16, 2024

Last week, we shared details concerning a threat actor (UTA0178) exploiting #Ivanti Connect Secure 0-days. Initially few devices were compromised. Since Thursday the exploitation goes global. We identified over 1700 compromised appliances in the world.

All the sectors are concerned: small and big organizations. Private and public sectors. If you haven't already done, apply the mitigation provided by the vendor. Run the integrity checker tool to check if you have any mismatches... More details: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

#threatintel #threatintelligence

Ivanti Connect Secure VPN Exploitation Goes Global

On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA00178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.

Volexity
Paul RascagneresJan 11, 2024

End of last year we worked on an incident response where a TA exploited 2 0-days to compromised Ivanti Connect Secure (previously Pulse Connect Secure).

The first vulnerability (CVE-2023-46805) was abused to bypass the authentication. The second vulnerability (CVE-2024-21887) was used to execute commands on the device.

The TA remount the filesystem to enable the write permissions. Then, the attackers modified an existing JavaScript and deployed two webshells.

They modified lastauthserverused.js, a script that is legitimately used in the logon page. The modification exfiltrates the username and the password. The two webshells use the HTTP request parameters to execute code.

Takeovers: monitor your network (outbound connections via curl was perfected on multiple occasion), check your logs (store your logs outside of the appliance via syslog), use the in-build integrity checker tool.
More details & IOCs in our blog post: https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

#Threatintel #Threatintelligence #Ivanti

Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN

Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN appliances. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach.

Volexity
Paul RascagneresJul 16, 2023
10 months ago, I bought a regular bike to replace my ebike. I gave me one goal: 1000km in 1y. Today, 2 months before the deadline I did my 1000km \o/
Paul RascagneresJul 12, 2023

If you missed it yesterday, Microsoft released an advisory concerning the CVE-2023-36884: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884. This RCE is currently used by a TA and there is no patch. You should apply the mitigation described in the advisory.

With @tlansec we suspected a 0d and we notified MS few days ago. The infection chain was insane... Instead of a endless explanation you can check this graphic.

The final stage was a malware we named PEAPOD. It shares similarities with RomCom RAT such as COM object hijacking, the string obfuscation logic, the C2 channel protocols (ICMP/socket/HTTP). But the malware core and the final stage are different. PEAPOD works with two libraries: 1 stored on disk (you should monitor what happens inside %PUBLIC%) and 1 stored in the registry. They are loaded in memory and communicate together via a named pipe.

Security Update Guide - Microsoft Security Response Center

Paul RascagneresJul 3, 2023
Today, you can find my first EP on all streaming plateforms: "The Traveling Stems" by RootBSD.
I'm so glad I managed to achieve this project. I made 7 tracks to finally select my 5 favorites. I hope you will enjoy them.
Paul RascagneresMar 7, 2023
I spent few times working on #AVBurner, a post exploitation tools used by #SnakeCharmer (aka "Earth Longzhi" by #trendmicro). This tool disables kernel callbacks. With my colleagues from @volexity, we wrote a small blog post explaining how it works. But also how to detect kernel callbacks manipulation by using #volatility. As #volshell supports MS symbols we are able to parse in memory kernel objects. More details here: https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
Using Memory Analysis to Detect EDR-Nullifying Malware | Volexity

Paul RascagneresDec 23, 2022

#noel approche à grands pas... Et le livre que j'ai co-écris avec @Sebdraven viens de sortir dans les librairies...

Je propose d'offrir 3 exemplaires à 3 étudiants. Si vous êtes étudiants et que vous aimeriez le recevoir chez vous, venez me voir en DM. Premier arrivé, premier servi.

(et comme je suis de nature méfiante, présentez moi un justificatif à votre nom ;) )

Paul RascagneresDec 21, 2022

#tips of the day: #reverseengineering with #x64dbg, you can automatically breakpoint on the next call. Go in "Tracing" -> "Trace Over" (or ctrl+alt+F8) and in the break condition put "dis.iscall(EIP)". It will automatically break at the next call.

You can also directly use this command line: "TraceOverConditional dis.iscall(EIP)" and do arrow up + Enter to go from call to call...

Something I often use this command line: "TraceOverConditional dis.iscall(EIP) || dis.isret(EIP)" and the debugger will stop at each Call or Ret. Nice if you want to quickly look at the API call without loosing the control ;)

Replace EIP by RIP in x64.

Paul RascagneresDec 14, 2022

Aujourd'hui sors la quatrième édition de mon livre sur l'analyse de malware aux éditions ENI. Les nouveautés: un co-auteur (@Sebdraven), #ghidra, #rizin, #cutter, #x64dbg... Mais surtout un tout nouveau chapitre dédié à la Threat Intelligence (avec du #MISP, #yeti, etc.).

L'intégralité de la table des matières est disponible ici: https://www.editions-eni.fr/livre/cybersecurite-et-malwares-detection-analyse-et-threat-intelligence-4e-edition-9782409038105

Livre Cybersécurité et Malwares - Détection, analyse et Threat Intelligence (4e édition)

Ce livre décrit les techniques et la méthodologie utilisées par les professionnels de l’analyse de malwares (ou logiciels

Paul RascagneresDec 7, 2022
Google released a new post about an internet explorer #0day exploited by #APT37. Yes, IE is still a thing. More detail here: https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/
And they even mention our previous work on this TA  #cti #threatintel
Internet Explorer 0-day exploited by North Korean actor APT37

Google’s Threat Analysis Group describes a new 0-day vulnerability attributed to North Korean government-backed actors known as APT37.

Google