The IT Nerd

Intelligent Waves (IW), a leading tech integrator providing mission-focused, multi-domain operational expertise and innovation to the Department of Defense (DoD), has announced a strategic partnership with Horizon3.ai, a pioneer in autonomous security testing. This collaboration aims to deliver advanced, continuous, and autonomous penetration testing capabilities to enhance the DoD’s cybersecurity defenses.

Revolutionizing Cyber Defense with Autonomous Penetration Testing

The partnership will enable Intelligent Waves to rebrand Horizon3.ai’s NodeZero™ platform into Shadow powered by NodeZero, leveraging IW’s extensive experience in delivering secure and reliable IT services to the DoD. NodeZero is a pioneering autonomous penetration testing platform that continuously assesses and improves an organization’s security posture by preemptively discovering exploitable vulnerabilities and weaknesses within its network infrastructures before it falls victim to a cyber-attack.

Enhancing DoD Cybersecurity Posture

Shadow empowers organizations to conduct unlimited, orchestrated penetration tests, continuously uncovering blind spots and weaknesses within their networks. This platform prioritizes attack paths with the most significant potential impact, providing clear guidance on what to fix first. With full visibility into penetration test progress and exploits, Shadow delivers real-time insights and actionable remediation guidance.

Benefits of the Partnership

• Continuous Security Assessments: Unlike traditional, periodic penetration testing, Shadow provides ongoing, real-time assessments, ensuring the DoD’s cyber defenses are always up to date.
• Cost Efficiency: Automation of penetration testing diminishes the need for expensive, manual testing processes, optimizing resource allocation for the DoD.
• Enhanced Readiness: Immediate verification of fixes ensures that vulnerabilities are effectively addressed, maintaining the integrity of defense systems.
• Seamless Scalability: The NodeZero platform can scale to test extensive networks, making it ideal for large and complex DoD environments.

Intelligent Waves delivers mission-focused multi-domain operational expertise and innovation to the Government through high-impact technology solutions in cybersecurity, data science, enterprise network & systems engineering, software development, and platform mission support. Always ready. Anytime. Anywhere. Any domain. To learn more, visit www.intelligentwaves.com.

The NodeZero autonomous penetration testing platform empowers the public and private sectors to continuously assess their exploitable attack surfaces. It is the flagship product of Horizon3.ai, founded in 2019 by former industry and U.S. National Security veterans. NodeZero helps organizations see their networks through the eyes of the attacker and proactively fix problems that truly matter, improve the effectiveness of their security initiatives, and ensure that they are prepared to respond to real cyberattacks. Find out more at www.horizon3.ai.

Naveen Sunkavally, chief architect at Horizon3.ai, has just published “Traccar 5 Remote Code Execution Vulnerabilities” detailing two related path traversal vulns affecting the popular open source GPS tracking system that could lead to remote code execution: CVE-2024-31214, reported by Horizon3.ai, and CVE-2024-24809, reported by @yiliufeng168. 

The post includes four methods and three proof-of-concept (POC) ways by which these vulnerabilities can be exploited by unauthenticated attackers through RCEs if guest registration is enabled, which is the default configuration for Traccar 5. 

Horizon3.ai reported the vulnerabilities in early April 2024. After the disclosure, the maintainer fixed the path traversal in the Content-Type header and locked down the file extensions to a known set. The maintainer also changed the guest registration setting to be off by default in Traccar 6, per Horizon3.ai’s recommendation, which significantly reduces the attack surface available to unauthenticated attackers and will have a lasting impact on improving the security posture of Traccar for years to come.

Naveen urges that both CVE-2024-31214 and CVE-2024-2809 be treated as critical issues because guest registration is on by default in Traccar 5, effectively allowing unauthenticated access.

Traccar 5 Remote Code Execution Vulnerabilities: https://www.horizon3.ai/attack-research/disclosures/traccar-5-remote-code-execution-vulnerabilities/

Naveen Sunkavally, chief architect at Horizon3.ai, has just published new research called: “NTLM Credential Theft in Python Windows Applications.” 

“NTLMv2 hash theft is a well-known credential harvesting technique made possible by the insistence of Windows to automatically authenticate to anything it possibly can. It’s a staple technique used in internal pentests with tools such as responder or ntlmrelayx, exploiting issues such as legacy LLMNR/NBT-NS protocols being enabled or forced authentication vulnerabilities like PetitPotam. It has also been exploited over the Internet, typically by abusing Microsoft Outlook, as described in recent cases by Proofpoint and Microsoft,” Naveen said.

When auditing web applications, NTLMv2 hash theft is possible on Windows hosts through the exploitation of Server-Side Request Forgery (SSRF) or XML External Entities (XXE) vulnerabilities. Much has been written on the topic, and new vulnerabilities continue to be found. 

Naveen details new SSRF vulnerabilities leading to NTLMv2 hash disclosure in three of the most popular Python frameworks: 

• Gradio by Hugging Face, which powers several popular AI tools; 
• Jupyter Server, which underpins Jupyter Notebook and JupyterLab; and 
• Streamlit from Snowflake

The vulnerabilities Naveen exposes relate to how these Python frameworks retrieve files. Specifically, in Python, any file system operation performed on insufficiently validated input can lead to the leakage of NTLMv2 hashes. The vulnerabilities disclosed in the post can be exploited by unauthenticated attackers, and they have come up in real-world pentests conducted by NodeZero. He also covers an interesting Python bug affecting older versions of Python on Windows that could assist in NTLMv2 hash theft.

The post also recommends fix actions. Naveen concludes: “Windows is the predominant operating system in enterprises, and Python is the language of choice for AI. With AI making a big splash into the mainstream over the last few years, we’re seeing increased usage of Python applications on Windows. This comes with new risk because traditionally Python apps have been developed and run on Linux-based systems, where the security risks are different than on Windows. We believe the specific issue of NTLMv2 hash theft in Python apps is likely heavily under-reported, and something that all parties –defenders, developers, appsec practitioners, bug bounty hunters, etc. — should be on the lookout for.”

NTLM Credential Theft in Python Windows Applications: https://www.horizon3.ai/attack-research/disclosures/ntlm-credential-theft-in-python-windows-applications/

On August 16^th, Horizon3.ai Chief Attack Engineer Zach Hanely informed Solar Winds of a significant vulnerability, the SolarWinds Web Help Desk (WHD) Hardcoded Credential Vulnerability. The vulnerability is CVE-2024-28987, and was ranked 9.1 in severity. 

Through the hardcoded credential vulnerability, unauthenticated users can remotely access SolarWinds WHD software to access internal functionality and modify data, the company said in an advisory attributing the discovery to Hanley.. 

At 8 pm last night, Solar Winds issued SolarWinds Web Help Desk 12.8.3 Hotfix 2.

Zach will publish details of the vulnerability in the near future, and today urges that the hotfix patch be applied as soon as possible. He notes that upon applying the hotfix patch, “requests to non-existent pages on patched instances will return no content / content-length 0.” as per his post on Twitter:

Horizon3.ai today announced their partnership with FedHIVE, a leading cloud service offering for federal agencies, government contractors, and commercial organizations. FedHIVE, which holds an active Joint Authorization Board (JAB) Authorization to Operate (ATO) at the FedRAMP® High level, is set to incorporate Horizon3.ai’s NodeZero™ SaaS-based platform into their ATO framework.

The NodeZero autonomous penetration testing platform empowers the public and private sectors to continuously assess their exploitable attack surfaces. It is the flagship product of Horizon3.ai, founded in 2019 by former industry and U.S. National Security veterans. NodeZero helps organizations see their networks through the eyes of the attacker and proactively fix problems that truly matter, improve the effectiveness of their security initiatives, and ensure that they are prepared to respond to real cyberattacks.

FedHIVE was​ the first small business provider to secure FedRAMP High Impact Baseline ATO for its SaaS, IaaS, and PaaS capabilities. This collaboration will allow more federal organizations to utilize Horizon3.ai’s NodeZero platform to view their environments from the attacker’s perspective, while adhering to the stringent requirements of federal customers.

The FedHIVE secure cloud service offering provides Government (Federal and State), Government Contractors and Commercial Customers a compliant, scalable, and secure IaaS, PaaS, and SaaS; enabling and supporting Governments’ mission platforms or software required for their business or mission success. FedHIVE is a Compliance company providing Compliance  as a Service (CaaS), secure hosting, storage and processing service; intentionally designed to meet and exceed the FedRAMP High Impact Baseline and DoD Cloud Computing Security requirements.

In 2023, there was a pivotal shift as both public and private sectors realized that solely relying on defensive cybersecurity strategies is no longer sufficient. For example, in November 2023, the Department of Navy Cyber Strategy outlined new plans to conduct realistic risk assessments by conducting regular program-driven automated and manual testing of security protections from an adversary’s perspective. In addition, in March 2024, the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) launched the Cyber Operational Readiness Assessment (CORA) program, which highlights continuous holistic assessments to boost operational effectiveness. This move towards ongoing defensive readiness assessments is now becoming a norm across various sectors.

As a result, demand for NodeZero is surging as autonomous penetration testing was recognized as a new category in the U.S. Department of Defense Tech Watchlist. Customers in 50 industries across 25 countries, including government, manufacturing, healthcare, financial services, education, and other industries currently use NodeZero to continuously assess their internal, external, and cloud infrastructures using the same tactics, techniques, and procedures (TTPs) attackers use. 

Tech Mahindra announced a strategic partnership with Horizon3.ai, a leader in autonomous security to elevate the cybersecurity landscape. The partnership will integrate Horizon3.ai’s cutting-edge NodeZero™ platform, delivering integrated threat detection, AI-powered pentesting, and Governance, Risk, and Compliance (GRC) insights, with Tech Mahindra’s comprehensive suite of cybersecurity services.

Tech Mahindra will leverage Horizon3.ai’s NodeZero™ autonomous penetration testing platform to empower its customers to uncover exploitable vulnerabilities and validate security measures across on-premises, cloud, and hybrid network infrastructures. The partnership will combine Tech Mahindra and Horizon3.ai’s cybersecurity domain expertise and global reach to drive innovation, excellence, and proactive defense. It will provide customers with the tools and expertise needed to safeguard their digital assets.

Tech Mahindra will offer customers real-time vulnerability assessments, enabling prompt identification and remediation of vulnerabilities. The real-world attack testing capability will simulate cyber attackers’ tactics to assess security resilience. Additionally, customers will benefit from comprehensive reporting that prioritizes risks and provides actionable remediation recommendations. The enhanced compliance and cost-effective capabilities will ensure organizations meet regulatory standards and access scalable, advanced penetration testing.

The partnership with Horizon3.ai aligns with Tech Mahindra’s mission to enhance its offerings and provide customers with an unprecedented level of security assurance. Tech Mahindra has earned a reputation as a leading cybersecurity partner by delivering technology implementations, managed security and risk services, and compliance solutions to organizations worldwide. Their comprehensive approach ensures overall cyber resilience and provides cutting-edge proactive protection, detection, and remediation across diverse security domains. 

Horizon3.ai today announced the launch of NodeZero™ Cloud Pentesting. This innovative solution helps organizations identify and resolve complex exploitable vulnerabilities and hidden attack paths in their cloud environments. Horizon3.ai offers the most comprehensive autonomous penetration testing solution, enabling both public and private sectors to thoroughly assess and secure their cloud environments across AWS and Azure.

As organizations expand their digital presence in the cloud, managing security and addressing the unique requirements of each cloud environment becomes increasingly complex for already overburdened security teams. Concurrently, attackers are intensifying their efforts with more frequent and sophisticated attacks. Many organizations struggle to identify and remediate vulnerabilities in both cloud environments and on-premises systems.

NodeZero Cloud Pentesting offers unparalleled testing capabilities for both cloud and hybrid environments. It identifies and chains together exploitable vulnerabilities, security weaknesses, and software misconfigurations, ensuring continuous validation of security programs and compliance initiatives. The solution can also pivot to on-premises networks, to emulate the true behavior of an attacker. This allows organizations to prioritize the remediation of complex attack paths that could be exploited by attackers, significantly reducing cyber risk.

Organizations can comprehensively assess their cloud and hybrid environments using the advanced capabilities of NodeZero by conducting both internal and external pentests, along with operations such as AD Password Audits and Phishing Impact tests. The solution uncovers previously unknown cloud security weaknesses, highlights overexposed or misconfigured assets, and identifies exploitable identity and access management (IAM) policies that could lead to privilege escalation. This comprehensive testing ensures effective defense in depth, reduces potential attack blast radiuses, and helps organizations mitigate the risks of insider threats and credential-based attacks.

NodeZero Cloud Pentesting Key Features

Internal Pentests:

NodeZero’s internal pentests provide a holistic view of how attackers can chain together exploitable vulnerabilities across the entire digital infrastructure, identifying complex attack paths and pivoting between on-premises and cloud environments.

External Pentests:

Similar to the internal tests but launched from Horizon3.ai’s cloud infrastructure, this pentest uncovers externally exposed weaknesses and validates the security of public-facing systems.

AWS Pentests:

This pentest utilizes AWS CloudFormation to gain a privileged perspective, identifying exploitable vulnerabilities, weak controls, insecure IAM policies, and overexposed assets.

Azure Entra ID Pentests:

This pentest targets Microsoft Entra ID from a privileged perspective, testing susceptibility to Azure-native attacks, and validating the security of applications and services using Microsoft Entra identities.

Designed by Horizon3.ai’s world-renowned attack team and certified offensive security engineers, NodeZero Cloud Pentesting includes safe and effective purpose-built exploits, advanced remote access tools, and an array of attacks designed to leverage lateral movement and privilege escalation. With over 65,000 autonomous penetration tests performed and tens of thousands of on-premises and cloud terrains fully mapped, NodeZero significantly enhances security and reduces risk for organizations of all sizes. With NodeZero’s find, fix, and verify capabilities, no other pentesting solution matches the power, efficacy, and effectiveness that NodeZero delivers.

For both defensive and offensive security professionals interested in seeing NodeZero Cloud Pentesting in action, please visit booth 3045 at Black Hat USA 2024.

For those not attending, request a demo of NodeZero Cloud Pentesting today. 

To learn more about NodeZero Cloud Pentesting please visit here.

Horizon3.ai marked the close of the first six months of 2024 with a celebration of the Company’s growth across all dimensions.

The Company’s award-winning NodeZero autonomous penetration testing platform empowers organizations to identify exploitable vulnerabilities across their internal, external, and cloud environments. It offers detailed guidance on prioritizing and addressing discovered security issues, and enables users to instantly verify the effectiveness of their fixes.

In the first half of 2024, the NodeZero platform has been enhanced with new features, services, and extensions, including:

Phishing Impact Testing: Provides an accurate assessment of the real-world consequences of compromised credentials within an organization. Business leaders often underestimate the threat posed by employees clicking on malicious links, which undermines security and burdens IT and security teams. The Phishing Impact test precisely identifies the “blast radius” of compromised credentials, demonstrating the potential consequences when attackers gain access to them.

Pentesting Services for Compliance: Meets both internal and external cyber risk assessment and pentesting requirements, aligning with government regulations, industry standards, new security frameworks, and security best practices. This service combines the expertise of Horizon3.ai’s Offensive Security Certified Professional (OSCP) pentesters with the power of NodeZero’s autonomous pentesting. The result is a streamlined, efficient approach to achieving and maintaining compliance.

Rapid Response Service for Cyber Resilience: Gives NodeZero users a strategic advantage with early, actionable intelligence to counteract emerging exploits targeting newly discovered and not yet widely addressed software vulnerabilities. The ability to swiftly identify and remediate emerging threats that pose a real risk to an organization is key to their cyber resilience. NodeZero users receive tailored intelligence on emerging vulnerabilities and can launch targeted tests to measure their exploitability.

Executive Team Expansion: Several executive-level appointments were made to support Horizon3.ai’s rapid growth as a leader in autonomous cybersecurity solutions. These include:

• Matt Hartley as Chief Revenue Officer (CRO) – With over 20 years of sales and operations excellence, Matt has consistently built go-to-market (GTM) teams that achieve rapid scale and predictability across the revenue lifecycle. He is a growth-minded leader passionate about helping customers leverage technology to generate demonstrable business value.
• Jill Passalacqua as Chief Legal Officer (CLO) – Jill’s legal expertise will be crucial in advising the company on key plans, guidelines, and compliance requirements. Known for her strategic legal approach to protecting and promoting companies’ interests, operations, and expansion, Jill’s appointment further bolsters Horizon3.ai’s status as a trustworthy and compliant cybersecurity provider.
• Erick Dean as Vice President of Product Management – With over 20 years of product development experience, Erick has consistently developed effective product strategies and fostered growth in both startups and large organizations. Dean will specialize in assembling and guiding a high-performance team across product management and UX design to further accelerate the capabilities of NodeZero.
• Drew Mullen as Vice President of Revenue Operations – With a proven track record in driving revenue growth, optimizing resource allocation, and enhancing sales performance, Drew effectively supports go-to-market strategies and operations throughout the entire customer lifecycle, from demand generation through customer acquisition and ongoing engagement.
• Torie Runzel as Vice President of People – Torie brings extensive experience in developing strong and successful teams through structures, culture, and programs that attract, retain, and develop top talent. She focuses on recruitment, team alignment, professional and organizational development, performance management, and total rewards.

Awards and Recognitions: Horizon3.ai received several prestigious industry recognitions and honors during the first half of 2024, including:

• Inclusion in the CRN®2024 Partner Program Guide
• Govies Award from Security Today Magazine for Autonomous Penetration Testing
• 2024 Cybersecurity Excellence Awards for Autonomous Penetration Testing
• Cloud Security Awards for Best Vulnerability Assessment Solution
• ChannelVision’s Visionary Spotlight Award for Top Innovation
• ChannelVision’s Visionary Spotlight Award for Cybersecurity
• AI Global Excellence Award for Best Computer & Network Security Firm 2024
• Rising in Cyber Award for Top 30 Mid Stage Startups in Cybersecurity
• Intellyx Digital Innovator Award

Industry Research Contributions: Horizon3.ai’s expert threat researchers conduct deep-level vulnerability research, develop proofs of concept exploits, and provide indicators of compromise that enable organizations to vastly improve their cybersecurity initiatives. The following research was published in the first half of 2024.

Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces – June 14, 2024
CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution – June 12, 2024
CVE-2023-48788: Revisiting Fortinet FortiClient EMS to Exploit 7.2.X – June 4, 2024
CVE-2024-23108: Fortinet FortiSIEM 2nd Order Command Injection Deep-Dive – May 28, 2024
CVE-2023-34992: Fortinet FortiSIEM Command Injection Deep-Dive – May 20, 2024
CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive – March 21, 2024
Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty” – March 14, 2024
NextChat: An AI Chatbot That Lets You Talk to Anyone You Want To – March 11, 2024
CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive – March 6, 2024
ConnectWise ScreenConnect: Authentication Bypass Deep Dive – February 21, 2024
Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities – February 6, 2024
CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability – January 29, 2024
CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive – January 23, 2024
Analysis of CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE – January 12, 2024
Analysis of CVE-2023-39143: PaperCut WebDAV Vulnerability – January 12, 2024

Horizon3.ai Chief Architect Naveen Sunkavally has just published “Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces” 

On Friday, May 31, the AI company Hugging Face disclosed a potential breach where attackers may have gained unauthorized access to secrets stored in their Spaces platform.

Naveen said:

“This reminded us of a couple of high severity vulnerabilities we disclosed to Hugging Face affecting their Gradio framework last December. When we reported these vulnerabilities, we demonstrated that they could lead to the exfiltration of secrets stored in Spaces.

“Hugging Face responded in a timely way to our reports and patched Gradio. However, to our surprise, even though these vulnerabilities have long been patched, these old vulnerabilities were, up until recently, still exploitable on the Spaces platform for apps running with an outdated Gradio version.”

As background, Gradio is a popular open-source Python-based web application framework for developing and sharing AI/ML demos. The framework consists of a backend server that hosts a standard set of REST APIs and a library of front-end components that users can plug in to develop their apps. A number of popular AI apps use Gradio such as the Stable Diffusion Web UI and Text Generation Web UI. Users have several options for sharing Gradio apps: hosting it in a Hugging Face Space; self-hosting; or using the Gradio share feature, which exposes their machine to the Internet using a Gradio-provided proxy URL similar to ngrok.

The Horizon3.ai blog post demonstrates an exploitable path, and Naveen offers recommendations to users for remediation – whether they are using Gradio in a Hugging Face Space or self-hosting.

Horizon3ai Chief Attack Engineer Zach Hanley and the Horizon3.ai Attack Team have just published “CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability.” Their POC can be found here. 

Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that enables centralized management of devices within an organization. Ivanti is a widely deployed secure access solution across enterprise functions and divisions to reduce costs, optimize service performance, and help support a secure and  agile environment. 

On May 24, 2024, the Zero Day Initiative (ZDI) and Ivanti released the advisory  “Ivanti Endpoint Manager RecordGoodApp SQL Injection Remote Code Execution Vulnerability” describing a SQL injection resulting in remote code execution with a CVSS score of 9.8.