Happy Friday! Before I share the Initial Access Intelligence team's release notes, it's worth pointing out that we had existing coverage for three of the four remote vulnerabilities added to CISA KEV over the last week. Here is what the team did this week:
The VulnCheck OpenCTI Connector was merged into OpenCTI's official Connectors repository. The connector supports multiple VulnCheck products including community, EVI, IAI, and IP-Intel. Customers with IAI access can import Snort/Suricata rules into OpenCTI, as well as "Initial Access Indicators". Customers with IP-Intel can import c&c and other IP-related intelligence into OpenCTI. And of course much more functionality is offered via EVI as well.
If you'd like help setting this up, or would like a demo, please reach out to the team and we can get you squared away.
This vulnerability was originally discovered and disclosed by LeakIX. With targets available online, apparent honeypots online, and a Metasploit module available we are somewhat surprised that there are no reports of exploitation in the wild. An incredibly generic vulnerable endpoint /api/ makes this difficult to fingerprint on GreyNoise, so we (unfortunately) have no additional insight at this time.
The team developed an exploit, version scanner, pcaps, Snort/Suricata rules, and Shodan/Censys/FOFA/ZoomEye queries.
CVE-2023-4220 has been in VulnCheck KEV since December of 2024, and has a ridiculously high EPSS score of .945 (99% percentile). Shadow Server consistently flags exploit attempts, and the GreyNoise query we developed appears to flag them as well.
The team took this opportunity to unify our Chamilo detection and version verification logic (as we've had to develop multiple Chamilo exploits at this point). We also published PCAPs, Shodan, Censys, FOFA, ZoomEye queries and GreyNoise, Suricata, and Snort rules, and a vulnerable docker container.
The team developed an exploit for the mySCADA PRO Manager software that triggers remote code execution on the system's Docker runtime container. Interestingly, the exploit works with the same code on the Windows as Linux deployment as the underlying management interface uses WSL and Docker.
We do not believe that these are widely accessible on the internet. Our Censys query only uncovers a handful of targets. But given the ease of exploitation, the high value of and customer demand for ICS coverage, and the odds of this being a good Level 3 pivot makes it worthy of being in our feed.
The team provides Suircata and Snort rules, version detection, PCAPs, Shodan, Censys, ZoomEye, and FOFA queries and GreyNoise signatures.
This vulnerability has been listed in VulnCheck KEV since October 2024 and CISA KEV since November 2024, so we are admittedly a touch behind on this one (although we covered it's sibling vulnerability CVE-2024-51378 back on November 1, 2024). According to our exploits index, this vulnerability has been known to be used by Cerber, Babuk, and PSAUX, and is regularly listed as exploited on Shadow Server. We also note that naive queries indicate there are tens of thousands (if not hundreds of thousands) of these online, but we think almost all of those are honeypots. The real number of targets is likely in the hundreds to thousands.
The team developed an exploit, provided PCAP captures, and created network signatures for Suricata and Snort. The team created queries for Shodan, Censys, FOFA, ZoomEye, and GreyNoise.