Skip to content

2024.06

New Attack Content

  • AWS Canary Tokens Detection (H3-2024-0035): Enhanced to identify third-party AWS Canary Tokens, mitigating false positives and avoiding unnecessary AWS authentication alerts.
  • Office 365 Azure Token Pilfering: Our Remote Access Tool (RAT) now captures Azure access tokens from Office 365 applications on compromised hosts, potentially escalating to Azure User or Business Email Compromise.
  • Exposed NTLM Authentication Endpoints: Newly integrated checks flag internet-exposed NTLM-authenticated web endpoints as vulnerable.
  • Ubiquiti UniFi Video Exploit: Implements exploitation of the Apache Log4j2 Remote Code Execution vulnerability in Ubiquiti UniFi Video systems.
  • SolarWinds Serv-U Directory Traversal (CVE-2024-28995): NodeZero now exploits directory traversal vulnerabilities in SolarWinds Serv-U to access sensitive directories.
  • Jupyter Credential Leak (CVE-2024-35178): Reflects Horizon3.ai’s updated classification for this vulnerability discovered by our researchers.
  • Rapid Response for PHP-CGI Command Injection (CVE-2024-4577): Targets PHP installations on Windows in specific locales with a new command injection exploit.
  • Adobe Commerce & Magento Alert (CVE-2024-34102): Rapid response and new attack content now cover this critical vulnerability with details on vendor advisory and exploit timelines.
  • Upgraded RAT for Telerik Report Server (CVE-2024-4358): Enhances capabilities against Telerik Report Server through an authentication bypass vulnerability.
  • Veeam Backup Enterprise Manager Bypass (CVE-2024-29849): Adds a new exploit for authentication bypass.
  • Azure AD Domain Admin Exploitation via Cloud Kerberos Trust: Node Zero now leverages Cloud Kerberos Trust to potentially elevate privileges in Azure AD. Detailed techniques discussed in this article: Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust.
  • Ivanti Endpoint Manager SQL Injection (CVE-2024-29824): Allows unauthenticated SQL command execution in Ivanti Endpoint Manager.
  • Apache HugeGraph Gremlin RCE (CVE-2024-27348): Enables remote code execution through crafted Gremlin queries in Apache HugeGraph.

Other Updates and Improvements

  • Fixed byte decoding issues in the SNMP enumeration routine.
  • Upgraded NodeZero's Playwright library to version 1.44.
  • Resolved an edge-case issue that prevented Azure credential verification in certain scenarios.
  • Addressed SSH false positives in Default Login detection.
  • Introduced a Phishing Sankey Chart in reports.
  • Added a new phishing exposure chart to reports.