Skip to content

2024.11

Features/Enhancements

New Infrastructure Attack Surface Test:

Kubernetes Pentest: NodeZero users with Kubernetes (K8s) environments can now test pods, nodes, clusters, and namespaces using the NodeZero K8s Operator to run pentests. With additional K8s-specific attack content, NodeZero is now an even better tool for continuous testing in complex hybrid-cloud environments.

New Operational Scenario Test:

Insider Threat Pentest: Confirm the blast radius of any potential insider threat by injecting a Windows AD username and password during test setup.

New Attack Content and Capabilities:

  • CVE-2024-8956: PTZOptics cameras. An insufficient authentication vulnerability that exposes sensitive configuration information, like password hashes and network settings.
  • CVE-2019-7192: QNAP Photo Station. This attack allows remote attackers to read arbitrary files from the file system, including SSH private keys, which could be used to log into the affected device and execute arbitrary commands.
  • CVE-2023-1389: TP-Link AX21. A command injection vulnerability that allows attackers to upload and execute arbitrary PHP files, leading to full system compromise.
  • CVE-2023-25280: D-Link DIR-820L routers. A command injection vulnerability that allows remote unauthenticated attackers to execute arbitrary code via a crafted HTTP request. Affects firmware versions DIR820LA1_FW105B03 and prior.
  • Slack Attack: NodeZero can now compromise Slack tokens when an endpoint is compromised. This new attack content is visible in the NodeZero portal as “H3-2024-0050 - Slack User Compromise” and introduces a new impact type: Third-Party SaaS User Compromise.

Rapid Response Content:

  • CVE-2024-45216: Added against Apache Solr. This authentication bypass affects instances using the PKIAuthenticationPlugin (enabled by default). Remote attackers can gain full access to administrative APIs on the affected instance.
  • CVE-2024-8963: Added a targeted test for Ivanti Cloud Services Appliance. This path traversal vulnerability allows a remote unauthenticated attacker to access restricted functionality.

New Privilege Escalation Capabilities:

  • NodeZero can now escalate privileges within Azure environments using Automation Account Managed Identities with PowerShell runbook TTPs.

New Implant Access Methods:

  • 4 new ways for Remote Access Tool (RAT) to gain access and display its new capabilities, including dropping Tripwires:
    1. Windows Management Instrumentation RCE
    2. Windows Remote Management RCE
    3. PAN-OS-CVE-2024-0012
    4. PAN-OS-CVE-2024-9474

Improved Detection:

  • WAF Handling Improvements: NodeZero has enhanced its ability to work with Web Application Firewalls (WAFs), reducing the occurrence of false positives and improving overall accuracy.

  • Bloodhound Data Aggregation: We've extended the time-out periods to improve data collection, ensuring better performance in larger networks.

Fixed Bugs:

  • Fixed a bug sometimes causing an error when determining the version string for CVE-2023-48788.