{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/security_controls/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["github.com","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["github","2fa","security_controls","supply_chain"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis detection identifies instances where two-factor authentication (2FA) requirements are disabled within GitHub Organizations. By monitoring GitHub Organizations audit logs, this analytic tracks changes to 2FA requirements, capturing details about the actor, organization, and associated metadata. Disabling 2FA weakens security controls, increasing the risk of account compromise via password-based attacks. The absence of 2FA can lead to unauthorized access to sensitive code repositories, intellectual property, and potential compromise of the software supply chain. The activity observed in this analytic aligns with actions outlined in the MITRE ATT\u0026amp;CK framework such as impair defenses (T1562.001) and supply chain compromise (T1195).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a privileged GitHub account, possibly through credential compromise or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub organization with the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization\u0026rsquo;s security settings within GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the requirement for two-factor authentication (2FA) for the organization.\u003c/li\u003e\n\u003cli\u003eGitHub audit logs record the \u0026ldquo;org.disable_two_factor_requirement\u0026rdquo; event, capturing details of the actor and organization.\u003c/li\u003e\n\u003cli\u003eWith 2FA disabled, the attacker can now access other accounts within the organization more easily without needing to bypass multi-factor authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses the compromised accounts to access sensitive code repositories or other resources within the organization.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or injects malicious code into the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling 2FA in GitHub organizations increases the risk of account takeover and unauthorized access to sensitive code and intellectual property. A successful attack could lead to the compromise of the software supply chain, impacting not only the organization itself but also its customers and users. This can result in reputational damage, financial losses, and legal liabilities. The Google Cloud Community reported on using Google Security to monitor for suspicious GitHub activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and maintain the Splunk Add-on for GitHub to ingest GitHub Organizations audit logs as detailed in the references.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Organizations Disable 2FA Requirement\u003c/code\u003e to detect instances of 2FA being disabled.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003eactor_id\u003c/code\u003e, and \u003ccode\u003eactor_ip\u003c/code\u003e fields to identify potentially compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor user agent strings (\u003ccode\u003euser_agent\u003c/code\u003e field) for suspicious or anomalous activity related to the disabling of 2FA.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies and educate users about the importance of 2FA to prevent initial account compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-github-2fa-disabled/","summary":"The disabling of two-factor authentication (2FA) in GitHub Organizations is detected through audit log monitoring, potentially indicating an attacker's attempt to weaken account security and facilitate unauthorized access.","title":"GitHub Organizations 2FA Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-github-2fa-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","lockdown_mode","security_controls"],"_cs_type":"advisory","_cs_vendors":["VMWare","Splunk"],"content_html":"\u003cp\u003eThis detection identifies when Lockdown Mode is disabled on an ESXi host. Threat actors might disable this mode to weaken host security controls, allowing broader remote access via SSH or the host client. This action could be a precursor to further malicious activities such as data exfiltration, lateral movement within the environment, or tampering with virtual machines. Identifying this activity is crucial as it signifies a potential compromise of the ESXi host, which could lead to significant disruption and data loss. The detection logic is based on ESXi Syslog data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the ESXi host, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to disable Lockdown Mode. This may be done through the vSphere client or directly via SSH if enabled.\u003c/li\u003e\n\u003cli\u003eThe ESXi host logs the event of Lockdown Mode being disabled within its syslog.\u003c/li\u003e\n\u003cli\u003eWith Lockdown Mode disabled, the attacker gains broader access to the host\u0026rsquo;s management interfaces.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, gathering information about the host and its virtual machines.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the environment, leveraging the compromised ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or manipulates virtual machines, achieving their final objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling Lockdown Mode can lead to a complete compromise of the ESXi host and the virtual machines it manages. This can result in data exfiltration, data corruption, or the deployment of ransomware on the virtual machines. Depending on the environment, this can affect hundreds or thousands of virtual machines, potentially disrupting critical business operations. The \u0026ldquo;Black Basta Ransomware\u0026rdquo; analytic story is related to this threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to a SIEM or log aggregation system to enable detection of this activity, as detailed in the \u0026ldquo;How to Implement\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi Lockdown Mode Disabled\u003c/code\u003e to your SIEM to detect instances where Lockdown Mode is disabled on ESXi hosts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eESXi Lockdown Mode Disabled\u003c/code\u003e to determine the root cause and scope of the potential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor ESXi syslog for messages indicating changes to host security configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-esxi-lockdown-disabled/","summary":"The disabling of Lockdown Mode on an ESXi host may indicate a threat actor attempting to weaken host security controls to enable broader remote access for data exfiltration, lateral movement, or VM tampering.","title":"ESXi Lockdown Mode Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Security_controls","version":"https://jsonfeed.org/version/1.1"}