The IT Nerd

70 percent of companies in the UK have fallen victim to a cyberattack at least once in the past two years. This is according to the “Cyber Security Report UK 2024/25” by security firm Horizon3.ai.

For the report, a sample of 100 UK-based companies was surveyed. According to the findings, 53 percent of companies reported a specific incident of damage. 16 percent detected a hacker attack but claimed to have successfully defended against it. 23 percent of the companies contacted by Horizon3.ai were unsure whether they had been the victim of a cyberattack in the past 24 months. Only 8 percent of companies stated, “We are certain that we were not attacked.”

Nearly Half of Companies Targeted by Two or More Cyberattacks

Nearly half of the companies (44 percent) were targeted by a cyberattack twice or more during the two-year period examined, according to the “Cyber Security Report UK 2024/2025.”

Downtime, Financial Losses, Legal Consequences, and Data Theft

According to the “Cyber Security Report DACH 2024/2025,” 62 percent of the surveyed organisations experienced downtime due to a cyberattack over the two-year period examined. 42 percent (multiple answers were allowed) suffered financial losses as a result. 15 percent faced legal consequences, while data theft occurred in 35 percent of cases. Alarmingly, 54 percent of companies received a ransom demand to recover data encrypted by hackers.

Key Executives’ Lack of Understanding of Risks and Their Personal and Corporate Impact

The participants selected for the survey predominantly hold responsible positions within their companies: IT team leaders (21 percent), Chief Information Security Officers (18 percent), Chief Technology Officers (14 percent), Chief Information Officers, and IT Managers (12 percent each). “According to the survey, more than half of the executives who would be personally affected in the event of a cyber incident do not believe they could be held liable for potential damage,” says Keith Poyser, highlighting the lack of understanding among key executives about the risks and their potential personal and corporate impact.

The cybersecurity expert warns: “Organisations must urgently step up their efforts on cybersecurity. With artificial intelligence driving increasingly rapid and aggressive cyberattacks, and the growing use of remote work and the increase of Internet of Things (IoT) devices being connected to corporate networks, the opportunities for threat actors are expanding. The gap between the growing threats and the level of protection organisations have in place is widening at an alarming rate.”

Cybersecurity Under Threat: New Study Exposes ‘Security Chaos’: https://www.presseportal.de/en/pm/163532/5915975

Horizon3.ai announced the release of NodeZero Kubernetes Pentesting, a powerful new capability available to all NodeZero users. Designed to deploy directly within Kubernetes clusters, this solution equips organizations with the unique ability to identify and exploit vulnerabilities from an attacker’s perspective, uncovering weaknesses that could jeopardize entire infrastructures.

Kubernetes has become foundational to modern environments, offering flexibility to scale containerized applications. However, as adoption of managed Kubernetes distributions like AWS Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), and Azure Kubernetes Service (AKS) grows, the risks from complex and distribution-specific weaknesses increases as well. NodeZero’s offensive approach prioritizes real-time security testing at the runtime level, revealing the “blast radius” attackers could achieve by chaining Kubernetes-specific vulnerabilities with cloud and on-premises infrastructure weaknesses.

NodeZero Kubernetes Pentesting differentiates itself through advanced runtime security testing and ease of deployment, allowing organizations to achieve the continuous security assurance demanded by today’s threat landscape. Unlike traditional security tools focused on compliance or control plane analysis, NodeZero tests in real time, uncovering vulnerabilities like container escapes and RBAC misconfigurations that attackers exploit to move laterally, escalate privileges, and compromise underlying infrastructures.

The release underscores a shift in cybersecurity toward offensive-based assessments that employ adversarial techniques. Traditional compliance-driven assessments often miss critical gaps that attackers could exploit, leaving organizations exposed. With NodeZero’s use of real-world tactics, techniques, and procedures (TTPs) that mimic attacker behavior within Kubernetes environments, security teams can prioritize the most pressing threats and address exploitable vulnerabilities before they become gateways for adversaries.

Designed for any Kubernetes distribution, including EKS, GKE, and AKS, NodeZero’s pentesting capabilities provide advanced protection across both cloud and on-premises clusters. This solution underscores Horizon3.ai’s commitment to proactive, high-impact cybersecurity innovation, helping organizations navigate and secure the complexities of Kubernetes at scale.

Horizon3.ai, a leader in autonomous security solutions, is honored to announce its second consecutive inclusion in the Fortune Cyber 60, presented by Lightspeed. This recognition underscores the company’s continued innovation and influence in the cybersecurity industry. The Fortune Cyber 60 acknowledges the top venture-backed startups delivering enterprise-grade cybersecurity solutions, with Horizon3.ai remaining the only provider of a fully autonomous penetration testing and threat detection platform, NodeZero™.

At the heart of Horizon3.ai’s success is the NodeZero Autonomous Security Platform, which enables organizations to continuously identify, remediate, and validate exploitable vulnerabilities. By using real-world attackers’ tactics, techniques, and procedures (TTPs), NodeZero offers the most comprehensive view of exploitable attack paths, empowering organizations to strengthen their defenses. The platform integrates threat detection, autonomous pentesting, third-party risk management, and governance, risk, and compliance insights, providing organizations with the tools they need to maintain a resilient cybersecurity posture.

So far in 2024, Horizon3.ai has introduced several groundbreaking capabilities that further solidified its position as a pioneer in offensive cybersecurity. These advancements include:

• NodeZero Tripwires™ – Deploys proactive deception mechanisms that detect attacker activity early, diverting them to decoys and exposing their tactics.
• Cloud Penetration Testing – Automated vulnerability detection in cloud environments like AWS and Azure, securing critical cloud assets.
• Rapid Response Service – Provides real-time intelligence on new vulnerabilities, enabling swift responses to zero-day and N-day threats.
• Phishing Impact Testing – Simulates potential damage from compromised credentials, offering a realistic assessment of organizational risk.

Horizon3.ai’s inclusion in the Fortune Cyber 60 underscores its impressive growth, marked by a 15x revenue increase over the past three years, a customer base of over 2,000, more than 80,000 tests conducted within production networks, and over 1.3 million impacts resulting from discovered exploitable attack paths in real-world environments. Organizations spanning 60+ industries across 30 countries rely on NodeZero to verify and fortify their security continuously.

Horizon3.ai Chief Attack Engineer Zach Hanley has just published “Palo Alto Expedition: From N-Day to Full Compromise.”

 Zach notes: “On July 10, 2024, Palo Alto released a security advisory for CVE-2024-5910, a vulnerability which allowed attackers to remotely reset the Expedition application admin credentials. While we had never heard of Expedition application before, it’s advertised as:

The purpose of this tool is to help reduce the time and efforts of migrating a configuration from a supported vendor to Palo Alto Networks. By using Expedition, everyone can convert a configuration from Checkpoint, Cisco, or any other vendor to a PAN-OS and give you more time to improve the results.

“Further reading the documentation, it became clear that this application might have more attacker value than initially expected. The Expedition application is deployed on Ubuntu server, interacted with via a web service, and users remotely integrate vendor devices by adding each system’s credentials.”

Today’s blog details finding CVE-2024-5910, and also how Zach and his team discovered three additional vulnerabilities which they reported to Palo Alto:

• CVE-2024-9464: Authenticated Command Injection
• CVE-2024-9465: Unauthenticated SQL Injection
• CVE-2024-9466: Cleartext Credentials in Logs

The blog post also includes indicators of compromise (IoCs) for the vulnerabilities.

Horizon3.ai adheres strictly to responsible disclosure of its research, and the disclosure timeline is noted in today’s blog, which you can read here.

Horizon3.ai Chief Attack Engineer Zach Hanley has just published “CVE-2024-28987: SolarWinds Web Help Desk Hardcoded Credential Vulnerability Deep-Dive.”  He details “a hardcoded credentials vuln affecting SolarWinds Web Help Desk. It allows attackers to read all help desk tickets, often containing sensitive IT procedures including user onboarding, password resets and shared resource credentials.”

On August 13, 2024, SolarWinds released a security advisory for Web Help Desk (WHD) that detailed a deserialization remote code execution vulnerability. This vulnerability, CVE-2024-28986, was added to CISA’s Known Exploited Vulnerability (KEV) catalog two days later on August 15, 2024.

The advisory states: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.

While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Zach said: “While we initially went in looking for the above vulnerability, we discovered a different vulnerability, now assigned CVE-2024-28987, which allows unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset requests and shared service account credentials.

“At the time of writing this, there are approximately 827 instances of SolarWinds Web Help Desk reachable on the internet. The WHD application is seemingly popular with State, Local, and Education (SLED) market segment according to a brief examination of those that expose it to the internet and our own client base.”

Horizon3.ai is publishing the deep dive today (September 25, 2024), having provided SolarWinds more than 30 days’ notice (on August 13, 2024), allowing the SolarWinds team to discover and patch the vulnerability. This is in keeping with Horizon3.ai’s practices to decrease the likelihood of exploitation and protect users.

Horizon3.ai today announced the appointment of Keith Poyser as Vice President for EMEA. Poyser brings more than 25 years of experience in driving sales growth, strategy, and business development in leading cybersecurity and technology firms. He joins Horizon3.ai at a time of significant market expansion as the company continues to deliver its cutting-edge solution, NodeZero™, to organizations worldwide.

Poyser has built an impressive career in the technology sector, holding key leadership roles at organizations like SentinelOne, Palo Alto Networks, BigFix, and IBM. With a proven track record of building and revamping sales teams, developing go-to-market strategies, and driving sustained growth, Poyser is well-positioned to lead Horizon3.ai’s expansion efforts across the EMEA region.

Poyser’s leadership will focus on strategic talent development, refining go-to-market strategies, operational excellence, and expanding partnerships across key verticals and regions. He emphasizes the importance of efficient resource management and delivering value to clients as Horizon3.ai continues to help organizations address today’s most pressing cybersecurity challenges.

Poyser’s prior roles include leadership positions at SentinelOne, where he served as Area Vice President for Northern EMEA, and Palo Alto Networks, where he led Enterprise Sales and then served as Interim Vice President for Western Europe. His wealth of experience includes leading teams through periods of rapid growth, driving sales excellence, and consistently exceeding performance targets.

With his deep understanding of the EMEA market, Poyser is ready to lead the company’s next phase of expansion. Outside of work, Poyser, who is based just outside of London, enjoys the outdoors and is an accomplished long-range rifle competitor, having represented the UK internationally.

Horizon3.ai, a global leader in autonomous security, announces that Nicholas Warner has joined its board as an Independent Director. Warner brings over two decades of cybersecurity experience, marked by a proven track record in scaling companies and driving hyper-growth. As COO, he played an instrumental role in propelling SentinelOne from $1 million to over $500 million in annual recurring revenue (ARR) and overseeing its public offering in what was the largest cybersecurity IPO in history.

Prior to SentinelOne, Warner served as Worldwide VP of Sales at Cylance, where he was pivotal in growing the company’s sales from zero to over $200 million in under three years. His exceptional leadership in developing go-to-market strategies and operational execution has cemented his reputation as a trusted authority in the cybersecurity industry.

Warner’s extensive career also includes leadership positions at McAfee and Forcepoint, where he drove significant regional and global sales initiatives. His deep operational insight, coupled with his understanding of today’s evolving threat landscape, will further bolster Horizon3.ai’s mission to help organizations proactively manage and mitigate cybersecurity risks.

As companies face growing challenges in staying secure, assessing risk, and maintaining compliance, traditional security methods often fall short. The NodeZero™ platform, with its expanding capabilities now covering cloud and hybrid environments, is transforming how businesses tackle security issues by identifying their most critical risks in real time. With Nick joining Horizon3.ai’s board, his expertise will help drive product innovation and further fuel company growth, empowering organizations to proactively manage their security posture, streamline compliance, and address risks more effectively than ever before.

Warner’s appointment underscores Horizon3.ai’s commitment to strengthening its leadership team with industry veterans who can guide the company’s rapid growth and help shape the future of autonomous cybersecurity solutions.

Horizon3.ai Chief Attack Engineer Zach Hanley has just published “CVE-2024-8190: Investigating CISA KEV Ivanti Cloud Service Appliance Command Injection Vulnerability” 

Ivanti’s advisory reads: Ivanti has released a security update for Ivanti CSA 4.6 which addresses a high severity vulnerability. Successful exploitation could lead to unauthorized access to the device running the CSA. Dual-homed CSA configurations with ETH-0 as an internal network, as recommended by Ivanti, are at a significantly reduced risk of exploitation.

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

Zach said: “The description definitely sounds like it may have the opportunity for accidental exposure given the details around misconfigurations of the external versus internal interfaces.”

His investigation details how, putting together the pieces, Zach and team achieved a command injection exploit, and looks at Ivanti’s configuration guidance for insight into how some of their clients were being exploited in the wild. Zach’s post also includes indicators of compromise.

Links:

CVE-2024-8190: Investigating CISA KEV Ivanti Cloud Service Appliance Command Injection Vulnerability: https://www.horizon3.ai/attack-research/cisa-kev-cve-2024-8190-ivanti-csa-command-injection/

Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190): https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190?language=en_US

CISA KEV – Ivanti Cloud Services Appliance OS Command Injection Vulnerability: https://www.cisa.gov/news-events/alerts/2024/09/13/cisa-adds-one-known-exploited-vulnerability-catalog

Horizon3.ai Exploit Developer James Horseman has just published “CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability” and posted a proof of concept exploit.

“Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. Our POC can be found here. We would like to credit @SinSinology with the discovery of this vulnerability.”

In addition to his detailed examination of the vulnerability and the vulnerability proof of concept, James also looks at the two main fixes he found in the patched version of EPM, and offers some caveats.

CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability: https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-dive-ivanti-endpoint-manager-agentportal-deserialization-of-untrusted-data-remote-code-execution-vulnerability/

Horizon3.ai, a global leader in autonomous security solutions, today unveiled NodeZero Tripwires, an addition to its product suite that integrates attack detection directly into the penetration testing process. This first-of-its-kind solution combines deception and detection technologies within NodeZero autonomous pentests to identify unauthorized access and malicious activities in real time. By providing a precision-placed early warning system on exploitable attack paths during a pentest, NodeZero Tripwires significantly enhances organizational security posture and effectively disrupts potential attackers.

Introducing a New Era in Cybersecurity

In a world where network breaches, ransom demands, and data exfiltration are becoming increasingly common, traditional security measures are proving inadequate against today’s attackers. Existing cyber deception tools often rely on vast rule libraries and scripts, randomly scatter decoys like honeytokens across the network, and frequently produce false positives that burden security teams with unnecessary alerts.

NodeZero Tripwires represents a radical departure from these outdated methods by autonomously deploying the solution as part of the penetration testing process. During a pentest, NodeZero strategically places decoys—such as fake files and credentials—based on the exploitable attack paths it discovers. If a malicious actor interacts with a tripwire, an immediate alert is sent from NodeZero to security teams, enabling rapid response and containment of the threat.

This approach is akin to identifying areas in your home that are likely paths an intruder would take, then placing motion detectors in those deemed high-risk. This ensures that if a real intruder attempts a break-in, you’ll be immediately notified.

Addressing Critical Gaps in Vulnerability Management

A major challenge in vulnerability management is protecting assets when immediate patching or vulnerability remediation isn’t possible. Studies indicate that the average Mean Time to Remediate (MTTR) of critical vulnerabilities is approximately 58 days, leaving organizations vulnerable for extended periods. During these exposed periods, NodeZero Tripwires acts as an essential safeguard, providing early warnings for assets with a high probability of being exploited.

Once NodeZero identifies an exploitable attack path, the countdown begins for the customer to remediate the discovered issues and confirm they are no longer exploitable. During this remediation period, which may last weeks or longer, NodeZero Tripwires can be deployed to offer additional indicators and early warnings when an attacker uncovers a vulnerability and attempts to exploit it. This capability is essential in light of current trends in vulnerability management and remediation.

Revolutionizing Cyber Defense for Today’s Challenges

As cyberattacks become increasingly sophisticated, security teams need to detect and respond to threats with greater speed and precision. NodeZero Tripwires offers reliable insights and alerts so security teams can quickly investigate and contain an attack. With seamless integration into existing SIEMs and other security tools, NodeZero Tripwires allows organizations to effortlessly incorporate this intelligence into their incident response workflows.