Issue 36: Hackers Target EDR Systems, Linux Devices, and VMware HCX in Latest Security Breaches
CloudGuard
We help organisations proactively detect and automatically remediate cyber threats in real-time.
Top stories 18 October 2024:
EDRSilencer Becomes Go to for Cybercriminals to Evade Detection and Disable Security Systems
Cybercriminals are using the open-source tool EDRSilencer to interfere with Endpoint Detection and Response (EDR) systems. Why? Because it makes it more difficult to detect malicious activities. According to Trend Micro, they are modifying EDRSilencer to avoid detection by shutting down certain EDR processes.
So, what does it do? EDRSilencer, inspired by the NightHawk FireBlock tool, uses the Windows Filtering Platform (WFP) to block outbound network traffic of EDR processes. Then, it targets EDR solutions from major security vendors such as Microsoft, Elastic, SentinelOne, Palo Alto Networks, Cisco, and others. By terminating these processes, the attackers prevent security software from sending critical telemetry to their management consoles, helping malware remain undetected.
It's becoming a go-to tool for cybercriminals. It works by scanning for active EDR processes and then using WFP filters to block their communications over IPv4 and IPv6 networks, shutting down EDR capabilities and letting malicious activities slip by unnoticed. What’s more concerning is that EDRSilencer is just one of several tools following this trend.
Attackers are leaning on advanced EDR-disabling tools like AuKill and EDRKillShifter, especially in ransomware operations. These tools are all about exploiting vulnerable drivers to get around antivirus and EDR protections, adapting quickly as security evolves. It’s a clear sign that the game is shifting, and we need to keep a close watch on these developments. It’s more important than ever to keep systems up to date and to invest in advanced security solutions that can hold up against these tampering tactics.
TLDR;
Multihomed Linux Devices at Risk: New Vulnerability Enables Spoofing and Injection of Malicious Packets
A critical vulnerability has been discovered in multihomed Linux devices that allows attackers to spoof and inject packets into internal communication streams through external interfaces. This flaw, which has been observed during multiple assessments, exploits the way multihomed devices interact with Linux’s conntrack module. This module manages stateful firewall connections but doesn’t account for the specific network interface where connections originate, leading to a significant security gap.
The issue stems from conntrack applying firewall rules uniformly across all connections, without taking the specific network interface into account. As a result, an attacker on an external interface can inject malicious packets into internal traffic by spoofing the same IP address and ports as an existing internal connection.
Multihomed Linux devices of all types are vulnerable to this flaw, including NAT routers, VPN servers, virtual machines, and embedded systems. Real-world exploits have demonstrated the ability to inject data into Lidar streams on autonomous vehicles, spoof NAT-PMP packets to create unauthorised port mappings, and manipulate internal communications behind NAT routers.
Administrators should implement anti-spoofing firewall rules to drop packets with spoofed internal IP addresses and use the SO_BINDTODEVICE socket option to ensure packets are only received on designated interfaces.
On top of this, a wrapper tool is available to help bind sockets to specific interfaces more effectively. Linux administrators need to review and update their firewall settings to address this vulnerability, as it poses a serious threat to the security and integrity of internal communications on multihomed systems.
领英推荐
TLDR;
Critical SQL Injection Vulnerability Discovered in VMware HCX Platform
VMware has revealed a critical security vulnerability in its Hybrid Cloud Extension (HCX) platform, identified as CVE-2024-38814, with a CVSSv3 base score of 8.8. This high-severity issue allows authenticated users with non-administrator privileges to perform SQL injection attacks, which could lead to unauthorised remote code execution on the HCX manager.
VMware HCX versions 4.8.x, 4.9.x, and 4.10.x have been impacted. If exploited successfully, it could jeopardise the confidentiality, integrity, and availability of affected systems. What's the risk to businesses? Attackers could potentially access sensitive data, alter system configurations, or disrupt critical services, making it a serious concern for organisations that rely on VMware’s hybrid cloud solutions.
VMware has released security patches to address the vulnerability:
Administrators are strongly advised to apply these patches immediately, as no workarounds exist for this issue.
Failure to do so leaves systems at risk of exploitation. This is a reminder for businesses to implement best security practices such as: strong access controls, monitor user activities and input validation and parameterised queries to reduce SQL injection threats.
Currently, there is no evidence of a public proof-of-concept or active exploitation. However, due to the high severity of this issue, remediation should be a priority. We must take steps to protect our critical infrastructure from potential attacks that could exploit this vulnerability.
TLDR;
How to Calculate Cybersecurity Return On Investment
We've put together this article to help you calculate cyber ROI at a high level using risk evaluation. Not got time to read it? Take a look at this infographic to help you digest.
That's all folks!
Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Analyst).
If you like what you've read, subscribe so you don't miss next week's roundup!