Blog entry by Les Bell

Les Bell
Security News: 2023-08-04
by Les Bell - Friday, 4 August 2023, 10:59 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Boodhound Renamed, New Code Base

Bloodhound, the pen testing tool for Active Directory, has been revamped with a new name and a new code base. The application has two data collection tools, called SharpHound and AzureHound, which collect data from domain controllers and domain-joined Windows systems, such as:

  • Security group memberships
  • Domain trusts
  • Abusable rights on Active Directory objects
  • Group Policy links
  • OU tree structure
  • Several properties from computer, group and user objects
  • SQL admin links
  • Members of local admin, remote desktop, DCOM and remote management groups
  • Active sessions

This data can then be loaded into the Bloodhound GUI for analysis, allowing exploration of possible attack paths (by both red teams and blue teams). While originally written as an open source project, Bloodhound was also commercialized and extended by SpectorOps to produce the SaaS Bloodhound Enterprise. However, over time, the two code bases diverged - in fact, the Enterprise version has a completely different architecture - and this increased the development workload substantially, since adding features meant writing, testing and maintaining two different versions of the same code.

However, SpecterOps is now (as of 8 August) releasing Bloodhound CE (Community Edition), which is based on the BloodHound Enterprise code base. This will eliminate a lot of duplicate effort in maintaining, supporting and extending the common code base.

Hinck, Stephen, Your new best friend: Introducing BloodHound Community Edition, blog post, 2 August 2023. Available online at https://posts.specterops.io/your-new-best-friend-introducing-bloodhound-community-edition-cb908446e270.

CISA Reports on 2022's Most-Exploited Vulnerabilities

A new report from the Cybersecurity & Infrastructure Security Agency, along with international partners, details the top 12 vulnerabilities exploited by threat actors in 2022 and draws lessons from them. Among the key findings:

  • Threat actors exploted older software vulns more often than recently-disclosed vulnerabilities, taking advantage of proof-of-concept code to exploit victims who had delayed patching
  • However, threat actors had the most success exploiting known vulns within the first two years after public disclosure - after that time, patches and upgrades reduced their success rates
  • Threat actors seem to prioritize development of exploits for severe and globally prevalent CVE's, especially if they are more prevalent in their specific targets' networks. Only the more sophisticated actors also develop tools to exploit other vulnerabilities

The report encourages a number of mitigations for both developers and end users, including adoption of secure-by-design principles - but the most obvious less is that end user organizations need to accelerate their patch management programs.

CISA, 2022 Top Routinely Exploited Vulnerabilities, cybersecurity advisory, 3 August 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a.

Google Adds New Privacy Tracking Tools

Last year, Google introduced a new page called Results about you (https://goo.gle/resultsaboutyou) which will report search results which contain your personal phone number, home address or email. Now the page has been updated wth a new dashboard which will allow users to request remove of those results from Google Search, and will also provide notifications when new search results containing contact info turn up.

The page is initially available in the Google app, in the US, in English only. However, it will roll out to new locations and languages in the coming months.

Google has also announced that it will make it easier for user to remote explicit or intimate personal images from search results - an increasingly common problem for many young people today as they lose control of shared images which can then end up on web sites.

Romain, Danielle, New privacy tools to help you stay safe and in control online, Google Keyword, 3 August 2023. Available online at https://blog.google/products/search/new-privacy-tools/.

Clancy, Elizabeth Mary and Boanca Klettke, 20% of young people who forwarded nudes say they had permission – but only 8% gave it. Why the gap?, The Conversation, 4 August 2023. Available online at https://theconversation.com/20-of-young-people-who-forwarded-nudes-say-they-had-permission-but-only-8-gave-it-why-the-gap-207913.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink