🧵 below w/ additional advice regarding our blog post yesterday covering the Ivanti Connect Secure vulnerabilities we discovered being exploited ITW at one of our customers:
#dfir #infosecurity #ThreatIntelligence
#dfir #infosecurity #ThreatIntelligence
https://x.com/Volexity/status/1745158750472728666?s=20
This won't surprise 🤯 my fellow IR folks, but internet facing/edge devices/appliances are, and have been for a while, a favorite target of APT groups and ransomware crews. One of our blogs from 2015 (and it wasn't new then):
volexity.com/blog/2015/10/0…
volexity.com/blog/2015/10/0…
Why? Persistence on the edge!
🛑 Accessible from the internet to all (easy access)!
🛑Often not segmented from the internal network.
🛑Usually "closed systems", meaning defenders can't get full root access to the underlying OS, OR install EDR software. This is a blindspot!
🛑 Accessible from the internet to all (easy access)!
🛑Often not segmented from the internal network.
🛑Usually "closed systems", meaning defenders can't get full root access to the underlying OS, OR install EDR software. This is a blindspot!
💣As an added bonus 💣 these devices (load balancers, VPNs, file transfer services, VDI gateways etc...) Can be a goldmine in terms of credentials and other sensitive information which can be used to pivot into other systems.
But all is not lost!
But all is not lost!
What can be done?
✅ Visibility of network traffic (in/out) from the internal interface of said device(s). Should it be talking SMB, RDP, SSH etc... to all these $systems?
✅ Crank up verbose log settings and ship them off the system (SIEM/syslog). Attackers WILL delete logs!
✅ Visibility of network traffic (in/out) from the internal interface of said device(s). Should it be talking SMB, RDP, SSH etc... to all these $systems?
✅ Crank up verbose log settings and ship them off the system (SIEM/syslog). Attackers WILL delete logs!
What can be done? (continued)
✅ Limit what these devices can talk to on the internal network. They probably don't need access to all the things!
✅ Know the process $device vendor has re: forensic collection. They have the access needed to collect this data. Ivanti has one!
✅ Limit what these devices can talk to on the internal network. They probably don't need access to all the things!
✅ Know the process $device vendor has re: forensic collection. They have the access needed to collect this data. Ivanti has one!
🚨 If a compromise is suspected 🚨 try not to power off or reboot the device. Instead, isolate (block traffic to/from the internet) and start planning how you will investigate. Powering off/rebooting will wipe data critical to the IR process
#memoryforensics #dfir
#memoryforensics #dfir
• • •
Missing some Tweet in this thread? You can try to
force a refresh
