Going from E to X in Detection & Response
The first SOC I toured was that of a major US bank, circa 2000. That SOC, and the many others I’ve stepped foot in since relied heavily on a SIEM to play the twin roles of centralized data collection...
It’s Raining Implants: How to Generate C2 Framework Implants At Scale
Command-and-control (C2) frameworks serve as a means to remotely manage and access compromised devices. They allow for the creation of various payload types, called implants, that are dropped on victim machines by attackers, enabling them to retain access and...
VMware Response to CVE-2023-29552 – Reflective Denial-of-Service (DoS) Amplification Vulnerability in SLP
Greetings from the VMware Security Response Center!
Today we wanted to address CVE-2023-29552 – a vulnerability in SLP that could allow for a reflective denial-of-service amplification attack that was disclosed on April 25th, 2023.
VMware has investigated this vulnerability and determined...
Bring Your Own Backdoor: How Vulnerable Drivers Let Hackers In
Bring Your Own Vulnerable Driver (BYOVD) techniques are not new; they can be traced back at least as far as 2012 and the Shamoon wiper that targeted Saudi Aramco. The attack used RawDisk driver, which could manipulate hard drives...
XDR: Identity Matters – Who You Know is As Important as What You Know
Endpoint security is recognizably an essential part of modern cybersecurity, and endpoint security tools are in many cases a first and last line of defense. Endpoint security is focused on securing servers, workloads, end-user workstations, laptops, and any other...
Investigating 3CX Desktop Application Attacks: What You Need to Know
This is a developing situation and this blog post will be updated as needed.
Reports of malicious code associated with the 3CX desktop application – part of the 3CX VoIP (Voice over Internet Protocol) platform – began on March 22,...
Embedded vSphere Harbor default enablement results in an insecure configuration
This post is relevant to administrators that have enabled the embedded Harbor version in vSphere 7.0 or 8.0 as explained in Enable the Embedded Harbor Registry on the Supervisor Cluster.
Harbor-helm issue
Harbor when installed with harbor-helm will use a default...
How to Detect PoshC2 PowerShell Implants
PoshC2 is a proxy-aware cross-platform C2 framework that natively supports Docker. Once configured and executed, it generates over 100 modifications of fresh implants, written in PowerShell, C#, and Python. The framework has a modular architecture to enable users to...
Unveiling the Evolution of Royal Ransomware
While the evolution of ransomware techniques is to be expected, the speed at which the Royal Ransomware Group has been able to adapt is impressive. Since it was first reported, those responsible for Royal ransomware have advanced quickly over...
VMware and Pwn2Own Vancouver 2023
Greetings from VMware Security Response Center!!
We’re excited to announce that VMware will be returning to Pwn2Own 2023 hosted on March 22nd – 24th, in Vancouver, Canada. VMware will have the opportunity to attend in-person to validate any demonstrations of...
Why CISOs Should Prioritize Extended Detection & Response (XDR)
In my role as General Manager of the VMware Security Business Unit, I have the privilege of speaking regularly with many Chief Information Security Officers (CISOs) around the globe. While some face challenges unique to the specific organization over...
Security Designed for Cloud-Native Architecture
Security Designed for Cloud-Native Architecture
It is 2023 and organizations are continuing to migrate workloads to public clouds, modernize their applications and adopt cloud-native practices at a rapid pace. But all this movement means the attack surface is growing exponentially,...
The Art of Managing Threat Feeds
Threat Intelligence hugely revolves around the craft of handling multiple threat intelligence feeds. Whether they simply contain a stream of malicious indicators of previous attacks or, for example, a painstakingly assembled list of Cobalt Strike team servers found in...
Full NGAV, EDR, and Audit/Remediation for Air-Gapped Systems
For many global organizations, workloads can be where the most critical business information resides. These teams need to enforce a strict security posture, ensuring their workloads are not directly exposed to the Internet for security, regulatory, and compliance reasons....
VMware Brings In-House Benchmarking Tool to Workloads
VMware Brings In-House Benchmarking Tool to Workloads
Benchmarks are a valuable resource that help security practitioners implement and manage their cybersecurity defenses and data. One such benchmarking tool is The Center for Internet Security (CIS). They’ve published CIS Benchmarks, the...