https://feed.craftedsignal.io/tags/security_controls/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-github-2fa-disabled/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-github-2fa-disabled/The disabling of two-factor authentication (2FA) in GitHub Organizations is detected through audit log monitoring, potentially indicating an attacker's attempt to weaken account security and facilitate unauthorized access.This detection identifies instances where two-factor authentication (2FA) requirements are disabled within GitHub Organizations. By monitoring GitHub Organizations audit logs, this analytic tracks changes to 2FA requirements, capturing details about the actor, organization, and associated metadata. Disabling 2FA weakens security controls, increasing the risk of account compromise via password-based attacks. The absence of 2FA can lead to unauthorized access to sensitive code repositories, intellectual property, and potential compromise of the software supply chain. The activity observed in this analytic aligns with actions outlined in the MITRE ATT&CK framework such as impair defenses (T1562.001) and supply chain compromise (T1195).

Attack Chain

1. An attacker gains initial access to a privileged GitHub account, possibly through credential compromise or social engineering.
2. The attacker authenticates to the GitHub organization with the compromised account.
3. The attacker navigates to the organization’s security settings within GitHub.
4. The attacker disables the requirement for two-factor authentication (2FA) for the organization.
5. GitHub audit logs record the “org.disable_two_factor_requirement” event, capturing details of the actor and organization.
6. With 2FA disabled, the attacker can now access other accounts within the organization more easily without needing to bypass multi-factor authentication.
7. The attacker then uses the compromised accounts to access sensitive code repositories or other resources within the organization.
8. The attacker exfiltrates sensitive data or injects malicious code into the software supply chain.

Impact

Disabling 2FA in GitHub organizations increases the risk of account takeover and unauthorized access to sensitive code and intellectual property. A successful attack could lead to the compromise of the software supply chain, impacting not only the organization itself but also its customers and users. This can result in reputational damage, financial losses, and legal liabilities. The Google Cloud Community reported on using Google Security to monitor for suspicious GitHub activity.

Recommendation

• Enable and maintain the Splunk Add-on for GitHub to ingest GitHub Organizations audit logs as detailed in the references.
• Deploy the Sigma rule GitHub Organizations Disable 2FA Requirement to detect instances of 2FA being disabled.
• Investigate any alerts generated by the Sigma rule, focusing on the actor, actor_id, and actor_ip fields to identify potentially compromised accounts.
• Monitor user agent strings (user_agent field) for suspicious or anomalous activity related to the disabling of 2FA.
• Review and enforce strong password policies and educate users about the importance of 2FA to prevent initial account compromise.

]]>mediumadvisorygithub2fasecurity_controlssupply_chainhttps://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/The disabling of Lockdown Mode on an ESXi host may indicate a threat actor attempting to weaken host security controls to enable broader remote access for data exfiltration, lateral movement, or VM tampering.This detection identifies when Lockdown Mode is disabled on an ESXi host. Threat actors might disable this mode to weaken host security controls, allowing broader remote access via SSH or the host client. This action could be a precursor to further malicious activities such as data exfiltration, lateral movement within the environment, or tampering with virtual machines. Identifying this activity is crucial as it signifies a potential compromise of the ESXi host, which could lead to significant disruption and data loss. The detection logic is based on ESXi Syslog data.

Attack Chain

1. An attacker gains initial access to the ESXi host, potentially through compromised credentials or exploiting a vulnerability.
2. The attacker authenticates to the ESXi host.
3. The attacker executes a command to disable Lockdown Mode. This may be done through the vSphere client or directly via SSH if enabled.
4. The ESXi host logs the event of Lockdown Mode being disabled within its syslog.
5. With Lockdown Mode disabled, the attacker gains broader access to the host’s management interfaces.
6. The attacker performs reconnaissance activities, gathering information about the host and its virtual machines.
7. The attacker moves laterally to other systems within the environment, leveraging the compromised ESXi host.
8. The attacker exfiltrates sensitive data or manipulates virtual machines, achieving their final objectives.

Impact

Disabling Lockdown Mode can lead to a complete compromise of the ESXi host and the virtual machines it manages. This can result in data exfiltration, data corruption, or the deployment of ransomware on the virtual machines. Depending on the environment, this can affect hundreds or thousands of virtual machines, potentially disrupting critical business operations. The “Black Basta Ransomware” analytic story is related to this threat.

Recommendation

• Configure ESXi hosts to forward syslog output to a SIEM or log aggregation system to enable detection of this activity, as detailed in the “How to Implement” section of the source.
• Deploy the Sigma rule ESXi Lockdown Mode Disabled to your SIEM to detect instances where Lockdown Mode is disabled on ESXi hosts.
• Investigate any alerts generated by the Sigma rule ESXi Lockdown Mode Disabled to determine the root cause and scope of the potential compromise.
• Monitor ESXi syslog for messages indicating changes to host security configurations.

]]>highadvisoryesxivmwarelockdown_modesecurity_controls