The IT Nerd

Horizon3.ai today announced the findings from a commissioned study, “The Total Economic Impact of the NodeZero Platform, October 2023,” performed by Forrester Consulting. It shows how the composite organization studied received vulnerability and risk intelligence that exceeds traditional approaches through use of the NodeZero platform and achieved a three-year 63% return on investment (ROI). In addition, operations time savings freed up the equivalent of one member of their four-member security team to focus on other security initiatives.

The study released today is based on six Horizon3.ai customers from four organizations who were interviewed by Forrester Consulting. These users span the entertainment, manufacturing, healthcare, and construction industries and the quantified benefits they experienced formed the framework for Forrester’s Total Economic Impact (TEI). By aggregating the customers’ characteristics, Forrester created a composite company with 2,000 employees and $500 million in annual revenue for its analysis. Forrester’s multistep approach included an evaluation of the costs, benefits, flexibility, and risk factors yielded from the investment in NodeZero for this profile, while also comparing NodeZero to those customers’ earlier penetration testing and vulnerability scanning approaches.

Key findings for the benefits and cost savings over a three-year period were improvement in security operations productivity by 30% worth $348,000, avoided costs of $255,000 by eliminating third-party penetration tests, and savings of $206,000 from reduced vulnerability scanner expenses. This resulted in a financial benefit of $809,000 for this composite organization, and a total value of $1.63 for each dollar spent. The study also highlights many additional security and business benefits that provided significant value but were not quantified in the study.

Direct quotes from the interviewed organizations reveal a common thread throughout the study about their key challenges prior to adopting NodeZero. They included expensive, inconsistent, and ineffective third-party penetration tests, lack of exploitable vulnerability prioritization, and how the use of siloed or underperforming security tools led to poor insights. Readers will also learn how NodeZero improved the interviewed organizations’ security operations productivity, provided measurable and quantifiable benefits, delivered reductions in cost for previous solutions, and enabled a long list of other benefits.

The identities of the customers are not disclosed in “The Total Economic Impact of the NodeZero Platform, October 2023.”

For organizations that face similar challenges and must make comparable decisions as those found in the Forrester TEI study, Horizon3.ai suggests they download the study and see for themselves what these customers said about NodeZero. These customers note that it has considerably improved their company’s security postures, while providing a notable return on their investment over previous cyber risk assessment approaches.

To read the full TEI study, visit https://www.horizon3.ai/tei-study/

Horizon3.ai’s threat researchers have just published NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208).

Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies (a recent survey cited approximately 3,000 organizations). The Horizon3.ai Attack Team findings show that versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability, CVE-2023-43208. 

Naveen Sunkavally, chief architect at Horizon3.ai, said: “This is an easily exploitable, unauthenticated remote code execution vulnerability. CVE-2023-37679 was reported to be fixed in Mirth Connect 4.4.0. In the release notes for 4.4.0, it was reported as only affecting Mirth Connect installs running on Java 8 or below. This caught our attention (why only Java 8?), and we started digging. We found that in fact, all installs of Mirth Connect, regardless of the Java version, were vulnerable. We also found that the patch for CVE-2023-37679 could be bypassed. We subsequently reported a new vulnerability to NextGen, tracked as CVE-2023-43208. The fix for CVE-2023-43208 is in 4.4.1.”

Sunkavally noted that attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data.  He said that while Horizon3.ai is not releasing an exploit at this time, the methods for exploitation (involving Java XStream) are well known and documented. “We have verified that Mirth Connect versions going as far back as 2015/2016 are vulnerable. “On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user” he said.

Sunkavally provided an example of exploiting the vulnerability in his blog post. He recommends that Mirth Connect users will want to upgrade to the latest patch release, which is 4.4.1, as of this writing.

Links:

• Horizon3.ai Blog October 25, 2023 – NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208): https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
• Mirth Connect: https://www.nextgen.com/solutions/interoperability/mirth-integration-engine
• CVE-2023-43208: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43208

The Horizon3.ai Threat Research Team has just published VMware Aria Operations for Logs CVE-2023-34051 Technical Deep Dive and IOCs detailing how attackers can bypass patches and conduct attacks on VMware Aria Operations for Logs (formerly VMware vRealize Log Insight). 

Today’s post by Horizon3.ai Exploit Developer James Horseman updates Horizon3.ai’s January 27 and January 31, 2023 posts on the vulnerability, and he notes that the indictors of compromise remain the same as noted in the January 27^thpost.

Links:

• Blog Post (October 20, 2023) – VMware Aria Operations for Logs CVE-2023-34051 Technical Deep Dive and IOCs: https://www.horizon3.ai/vmware-aria-operations-for-logs-cve-2023-34051-technical-deep-dive-and-iocs/
• POC: https://github.com/horizon3ai/CVE-2023-34051
• Previous Horizon3.ai Post (January 31, 2023) VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive: https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive/
• Previous Horizon3.ai Post (January 27, 2023) VMware vRealize Log Insight VMSA-2023-0001 IOCs: https://www.horizon3.ai/vmware-vrealize-cve-2022-31706-iocs/

The Horizon3.ai Threat Research Team has just released Cisco IOS XE Web UI Vulnerability: A Glimpse into CVE-2023-20198.

The post from Horizon3.ai Attack Team Technical Manager Josh Foster details risks of compromise, the current known indicators of compromise, and immediate remediation measures. It also offers longer-term remediation strategies given that Cisco has yet to release a patch for CVE-2023-20198, and that Cisco observed the threat actor(s) using 2 different techniques to install an unidentified Remote Access Trojan (RAT) once the device has been compromised.

Risks of Compromise: Josh notes that attackers with this type of unfettered remote access to a network device could take the following actions with associated impacts: monitor network traffic – eavesdropping on privileged network communications; inject and redirect network traffic – exposing the enterprise to man-in-the-middle attacks; breach protected network segments; and utilize it as a persistent beachhead to the network as there is a lack of detection/protection solutions for these devices and they can often go overlooked during patch-cycles until a disruption to user activity is noticed.

Blog Post – Cisco IOS XE Web UI Vulnerability: A Glimpse into CVE-2023-20198: https://www.horizon3.ai/cisco-ios-xe-web-ui-vulnerability-a-glimpse-into-cve-2023-20198/

In April 2023, threat researchers at Horizon3.ai analyzed CVE-2023-27524, which Horizon3.ai Chief Architect Naveen Sunkavally described at the time as “a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data.”

Today, Sunkavally and team have updated their analysis of CVE-2023-27524 with the publication of Apache Superset Part II: RCE, Credential Harvesting and More. This post includes indicators of compromise (IOCs) and examples of what an attacker can do once he/she has attained admin privileges, either from exploiting CVE-2023-27524, or by other means. The blog post includes:

• Accessing Default Metadata Database Credentials
• Harvesting Credentials from the Metadata Database
• Conducting Remote Code Execution on the Superset Server
• Conducting Remote Code Execution on Any Connected DB Server
• Indicators of Compromise
• Remediation Guidance and Remediation Resource Links 

Sunkavally notes: “As of this writing, there are still a few default settings to be aware in the Superset helm template and docker-compose setup. The Superset team is aware of these defaults and planning to remove them. The latest data we gathered supports removing these defaults and providing a complete fix for CVE-2023-27524.”

Apache Superset is an open-source data visualization and exploration tool with over 50,000 stars on GitHub. More than 3000 instances of it are exposed to the Internet.

Previous (April 23, 2023) Horizon3.ai research on “CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution”  https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/

Foresite today announced a new partnership with Horizon3.ai to integrate its NodeZero™ autonomous penetration testing technology with Foresite’s ProVision platform to deliver Managed Cyber Testing with Attacker’s View to Foresite partners and their customers. This new offering will further enable Foresite customers to simplify risk reduction, improve security operations, streamline security compliance, prioritize security tasks, and reduce the complexity of cybersecurity overall.

The ProVision platform provides centralized log collection for correlation and visibility with a trained Security Operation Center team of analysts to monitor, investigate, and respond to threats. This cloud-based solution is vendor-agnostic, does not require an agent on every asset, and allows complete client visibility, rule customization, and a predictable fixed-cost model with no hidden usage fees.

NodeZero allows organizations to continuously find, fix, and verify their exploitable attack surface by chaining together harvested credentials, misconfigurations, dangerous product defaults, and exploitable vulnerabilities to achieve critical impacts like domain compromise and sensitive data exposure. The NodeZero platform empowers organizations to reduce their security risk and continuously improve their security posture.

Ivanti yesterday updated the alert “KB API Authentication Bypass on Sentry Administrator Interface” – an advisory for CVE-2023-38035. The vulnerability has been added to CISA KEV and comes on the heels of an in-the-wild-exploited vulnerability in Ivanti EPMM (CVE-2023-35078). 

Horizon3.ai has just published a Proof of Concept (POC) and deep dive into how this new vulnerability can be used to give an attacker the ability to remotely execute code as the root user.

Horizon3.ai Exploit Developer James Horseman noted: “There aren’t any definitive IoCs that we have found so far. However, any unrecognized HTTP requests to /services/* should be cause for concern. The endpoint that we exploited is likely not the only one that would allow an attacker to take control of the machine. Ivanti Sentry doesn’t offer a standard Unix shell, but if a known exploited system is being forensically analyzed, /var/log/tomcat2/contains access logs that can be used to check which endpoints were accessed. Lastly, there are logs in the web interface that might be of use to check for any suspicious activity.”

Ivanti Sentry (formerly MobileIron Sentry) notes in its August 23^rd advisory that “CVE-2023-38035 enables an unauthenticated actor with access to the System Manager Portal (default hosted on port 8443) to make configuration changes to Sentry and underlying operating system. Successful exploitation can ultimately allow a malicious actor to execute OS commands on the appliance as root.” Exploitation is only possible though the System Manager Portal, hosted on port 8443 by default.

You can read the deep dive here.

Horizon3.ai, a leading provider of autonomous security solutions, today announced $40M in Series C funding led by Craft Ventures with participation from Signal Fire. With 3x customer growth year-over-year, Horizon3.ai’s NodeZero platform has quickly become a leading industry tool for autonomous pentesting, helping customers quickly verify their security posture and reduce their exploitable attack surface.  

This funding will be used to build out Horizon3.ai’s enterprise-wide, proactive security platform, expand channel and partner presence, and meet the growing demand of customers worldwide. Founded in late 2019, Horizon3.ai has raised a total of $78.5M to date. 

The demand for NodeZero continues to skyrocket: Autonomous penetration testing was recently added as a new category in the U.S. Department of Defense Tech Watchlist. Customers using NodeZero today span 50 industries and 25 countries, including manufacturing, healthcare, financial services, education, and local government. 

With this new funding, San Francisco-based Horizon3.ai will integrate pentesting, SOAR, and detection engineering into a security platform that enables customers to proactively secure their enterprise. 

Horizon3.ai was founded in 2019 by former industry and U.S. National Security veterans with the mission to help organizations see their networks through the eyes of the attacker and proactively fix problems that truly matter, improve the effectiveness of their security initiatives, and ensure that they are prepared to respond to real cyberattacks. Visit https://www.horizon3.ai/ for a free trial.

Horizon3.ai’s Attack team has published MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise over the weekend, which includes a proof of concept (POC) remote code execution (RCE) for the vulnerability, as well as indicators of compromise.

Zach Hanley, Chief Attack Engineer, said in part: 

“On May 31, 2023, Progress released a security advisory for their MOVEit Transfer application which detailed a SQL injection leading to remote code execution and urged customers to update to the latest version. The vulnerability, CVE-2023-34362, at the time of release was believed to have been exploited in-the-wild as a 0-day dating back at least 30 days.

“Soon after publication, a flurry of threat intelligence by various companies was released which indicated that this vulnerability was exploited further back than initially thought – GreyNoise seeing activity 90 days prior and Kroll reporting similar activity as far back as 2021. The attacks have been attributed to the cl0p ransomware gang, which is attributed to several other recent 0-day ransomware campaigns such as PaperCut, GoAnywhere MFT, SolarWinds Serv-U, and Accellion FTA.”

The deep dive then illustrates the POC, points out differences between the vulnerable and patched MOVEit versions, and offers indicators of compromise.

You can read the deep dive here.

Zach noted that after execution of the POC exploit offered: “cleartext credentials for the provisioned sysadmin account, database credentials, and the service credential. All great targets for lateral movement.”