Skip to content

2024.10

Features/Enhancements

  • Support for Injecting MFA-Protected Azure Credentials: NodeZero now supports the OAuth 2.0 device authorization grant (Device Code Flow) to allow users to inject MFA-protected Azure Entra ID credentials. During an Entra ID Pentest, users will be prompted to provide their Azure tenant ID, starting the authentication process once the pentest begins. Users will receive an email notification with an MFA code and instructions to return to the NodeZero portal to complete authentication, supporting Microsoft’s recent mandatory MFA implementation.
  • Webhook Configurations for Tripwires: Added webhook configurations on the Settings page to support exporting Tripwires data to both Microsoft Sentinel and Splunk Cloud.
  • Tripwires for MSP Client and Sub-Client Accounts: Tripwires is now available for MSP Client and Sub-Client accounts, with improvements to alerting and notifications UX.

New Attack Content and Capabilities

  • Azure KeyVault Pilfering: NodeZero now has the capability to pilfer secrets, certificates, and keys from Azure KeyVault.
  • Azure Virtual Machine Exploitation: Using AzureHound, NodeZero can now discover and exploit vulnerabilities to gain remote code execution on Azure-hosted virtual machines.
  • Palo Alto Expedition Vulnerabilities: NodeZero now checks for critical vulnerabilities in Palo Alto Expedition software, allowing unauthenticated attackers to execute remote code and access device credentials.
  • CVE-2024-38346: CloudStack cluster service vulnerability allowing unauthenticated attackers to run commands on the cluster, leading to full remote code execution and host compromise.
  • H3-2024-0052 (CUPS SSRF): cups-browsed service vulnerability allows remote attackers to trigger malicious IPP requests to an attacker-controlled URL, potentially leading to RCE by exploiting other CUPS vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47177).
  • CVE-2023-25717: Ruckus Wireless Admin vulnerability enabling remote code execution via an unauthenticated HTTP GET request, leading to full system compromise.
  • CVE-2024-7029: AVTECH CCTV IP cameras vulnerability allowing for remote code execution. While not a CISA KEV, a CISA advisory was published for this issue.
  • CVE-2024-45519: Zimbra Collaboration vulnerability that enables RCE through the postjournal service using SMTP commands to inject OS commands.
  • CVE-2024-51567: CyberPanel v2.3.6 vulnerability allowing root access through pre-authentication RCE due to improper authentication checks and command injection.
  • CVE-2023-45249 KEV: Acronis Cyber Infrastructure vulnerability allowing RCE via default credentials.
  • CVE-2023-29357 KEV: SharePoint vulnerability allowing RCE by bypassing authentication using spoofed JWT tokens.
  • CVE-2024-40711 KEV: Veeam Backup and Replication Deserialization vulnerability, now included in the CISA KEV catalog.
  • CVE-2024-51567: A new Rapid Response card and targeted test for CyberPanel RCE (CVE-2024-51567) allows testing this critical vulnerability as part of internal or external pentests.

AWS Privilege Escalation Detection

Added detection for three new AWS privilege escalation weaknesses:

  • H3-2024-45: AWS Pass Role and EC2 Run Instances
  • H3-2024-43: AWS Pass Role and CloudFormation Create Stack
  • H3-2024-44: AWS Pass Role, Lambda Create Function, and Lambda Invoke

Bugfixes

  • Improved implant performance and stability for long-running operations.
  • Resolved a bug causing ops to hang due to incomplete module tracking.
  • New signatures added to enhance regreSSHion vulnerability checks.
  • Fixed issue with Bloodhound collection failing on Domain Controllers not serving DNS.
  • Corrected false positives when verifying local machine credentials.
  • Resolved issue with Azure token rejection, improving the impact of Azure credential compromises.