overview
SolarWinds recently released fixes to address security flaws in its Access Rights Manager (ARM).
This vulnerability is being tracked as CVE-2024-28991, describes how the ARM has been found to be susceptible to remote code execution.
The vulnerability has been described, by the Trend Micro researchers credited with its discovery, as a JsonSerializationBinder that stems from a lack of proper validation of user-supplied data, thereby exposing ARM devices to a deserialization vulnerability that an authenticated attacker could use to execute arbitrary code.
SolarWinds has addressed the issue in it’s latest release of Access Rights Manager (ARM) 2024.3.1.
There are no indications that this vulnerability has been exploited, but customers are urged to patch as soon as possible.
how avertium is protecting our customers
IOCs ADDED TO OUR THREAT FEEDS
At this time, there are no known IoCs associated with CVE-2024-28991. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
TTPs TO MONITOR
1. Execution:
- T1059 - Command and Scripting Interpreter: The attacker might use command-line interfaces (e.g., PowerShell, Bash, Python) to execute malicious code.
- T1059.001 - PowerShell: On Windows systems, PowerShell may be used to run arbitrary commands.
- T1059.003 - Windows Command Shell: Attackers might use cmd.exe to execute commands.
- T1059.004 - Unix Shell: Attackers could use Bash or other Unix shell commands on Linux/Unix systems.
- T1203 - Exploitation for Client Execution: The attacker could exploit a vulnerability in a client application to execute arbitrary code.
2. Persistence:
- T1546 - Event Triggered Execution: Attackers may set up event-based execution mechanisms like scheduled tasks, system startup scripts, or services to persist.
- T1546.003 - Windows Service: Abuse of legitimate services for persistent execution.
- T1546.004 - Unix Shell Configuration Modification: Attackers could modify shell profiles to ensure code execution on future logins.
ADDITIONAL SERVICE OFFERINGS
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
- Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
- Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
- Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
- Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
SUPPORTING DOCUMENTATION