Tom Lancaster - 自上次边缘设备安全事件以来已经是零日Zero Days.pdf

1、 Volexity Inc.|Proprietary&ConfidentialIt Has Been 0 Days Since the Last Edge-Device Security Incident1Tom LancasterCyberThreat|December 2024TLP:WHITE Volexity Inc.|Proprietary&ConfidentialWhat are we talking about?Edge-Devices In the case of this talk those intended to help protect networks What do

2、 these attacks look like?What might you do to identify or stop these attacks on your network?2 Volexity Inc.|Proprietary&Confidential3Case 1:Ivanti Connect Secure Dec 23 Volexity Inc.|Proprietary&ConfidentialHow it started Signature designed to detect webshells on Exchange4 Volexity Inc.|Proprietary

3、&ConfidentialWebshell Discovery5 Volexity Inc.|Proprietary&ConfidentialThe Investigation Begins6 We acquire memory(RAM)and key files from the webserver Logons to the Exchange Server came from 192.168.x.x-ICS VPN device starting on December 6,2023 Volexity Inc.|Proprietary&ConfidentialAll roads lead

4、to.the ICS VPN Device7 Volexity Inc.|Proprietary&ConfidentialIvanti Connect Secure VPN Check the ICS version?Its up to date.We log into its admin interface to grab device logs and user VPN access logs What did we find?No logs Logging appears to be disabled completely8 Volexity Inc.|Proprietary&Confi

5、dentialNetwork Connections We then notice looking at historic network traffic and see:Outbound cURL request to ip- using the default Linux cURL UA.Outbound connection to external Cyberoam devices on TCP 443 afterwards.Inbound RDP(TCP 3389)and SMB(TCP 445)to machines on customer network.Authenticatio

6、ns to systems from the Pulse Secure system show a non-standard computer name(attacker system)9 Volexity Inc.|Proprietary&ConfidentialWhats going on the ICS VPN?10 Recent patch description for CVE-2023-41719 doesnt add up.Discovered by Synacktiv.Not used ITW Only affects admin panel(not web-facing).I