Horizon3.ai introduced the NodeZero app for Splunk, available via Splunkbase. It enables Splunk environments to leverage NodeZero and the attacker’s perspective to improve the effectiveness of Splunk deployments and ensure they’re logging the right data to get the most out of Splunk.
The NodeZero app for Splunk can automate data pulls from NodeZero APIs which are then ingested into the Splunk Cloud Platform. The app will integrate with the Splunk user experience to help users:
- Find, fix, and verify logging blind spots
- Decide where to increase and decrease logging based on the criticality of the host
- Take inventory of assets and reconcile the attacker’s perspective of your cyber terrain
Splunk administrators are often under pressure to maximize their license value – it’s often impossible to log everything, so it’s hard to know if they are expending resources appropriately to ensure they’re logging the right data. NodeZero can help identify where logging is most needed, so that the organization’s resources are deployed for maximum impact.
NodeZero maintains an action log of every command it has executed during a pentest. The NodeZero App for Splunk offers insights to identify blind spots in logging and create a fast feedback loop to find, fix, and verify missing data by using the action log to highlight what should have been detected when particular exploits were executed.
Identifying critical hosts: Not all hosts are critical. Some are important enough to log everything, while others may not have access to data or critical systems and thus have less requirements for logging. NodeZero is able to identify risk on specific hosts with context. For Example: A “low” criticality server in the CMDB might have enabled an attack path where NodeZero ultimately achieved Domain Admin – NodeZero would dynamically reclassify this host as CRITICAL risk based on the proven attack path and impact during a pentest operation. It lets organizations leverage the attacker’s perspective provided by NodeZero to inform their Splunk logging strategy.
Revealing “ghost hosts” & shadow IT: NodeZero inventories every reachable host within the organization’s environment during a pentest. This can often easily reveal a blind spot: are all those hosts seen in Splunk Cloud Platform? Often organizations will find hosts they didn’t know existed, were unaware had been added, or even rogue devices that aren’t known to anyone (shadow IT). The app lets users reconcile NodeZero-discovered hosts with existing IT assets in Splunk – marrying the traditional and the attacker’s perspectives to achieve greater insight.
Horizon3.ai is also offering a free trial of the NodeZero App for Splunk.
Horizon3.ai Publishes POC & Deep Dive For VMware vRealize Log Insight RCE
Posted in Commentary with tags horizon3.ai on January 31, 2023 by itnerdHorizon3.ai has just published “VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive” on the new CVEs affecting VMware vRealize Log Insight, which were reported by ZDI.
Three of these CVEs can be combined to give an attacker remote code execution as root, and the vulnerability is exploitable in the default configuration for VMware vRealize Log Insight. The Horizon3.ai team has successfully reproduced the exploit and would like to provide the technical details about how this vulnerability works. The team’s POC can be found on GitHub.
VMware vRealize Log Insight is used across enterprises to collect logs and provide analytics. This vulnerability poses moderate risk to organizations, allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with any stored credentials. The Horizon3.ai Attack Team has published the data so users can determine if they have been compromised.
Horizon3.ai Exploit Developer James Horseman noted when issuing indicators of compromise: “This vulnerability is easy to exploit, however, it requires the attacker to have some infrastructure setup to serve malicious payloads. Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network.
“This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”
VMware has released an advisory and patches and workarounds for these vulnerabilities and the team urges all VMware users to heed the VMWare advisory and patch or apply the workaround immediately.
Leave a comment »