Multiple vulnerabilities in the Brocade SANnav storage area network (SAN) management application could be exploited to compromise the appliance and Fibre Channel switches, security researcher Pierre Barre warns.
The researcher identified a total of 18 flaws in the appliance, including unauthenticated flaws allowing remote attackers to log in to vulnerable devices as root. Of these, nine were assigned CVE identifiers: CVE-2024-2859 and CVE-2024-29960 through CVE-2024-29967.
According to the researcher, three of these issues could allow an attacker to send malicious data and to intercept credentials sent in clear-text, potentially compromising the entire Fibre Channel infrastructure.
The first issue exists because the SANnav VM lacks a firewall by default, thus allowing an attacker to reach APIs for the Apache Kafka event streaming platform. The other two are rooted in the use of HTTP as the management protocol if HTTPS is blocked, and in syslog traffic being sent in clear-text.
Barre also discovered that the appliance has two backdoor user accounts, namely ‘root’ and ‘sannav’, and that the password for root is publicly known, as it has been included in the product’s documentation. The same password can be used for the sannav account as well.
While reviewing the SANnav configuration, the researcher also discovered that root access is available by default, that insecure options have been set in an OpenSSH configuration file, and that the appliance is sending HTTPS requests to two domains at regular intervals, without explanation.
Furthermore, SANnav has Postgres running without authentication and accessible from any Docker instance, allowing an unauthenticated attacker to gain read and write access to the database and dump the dcmdb database, which contains sensitive information, including administrative credentials.
Issues in the Postgres Docker instance, Barre says, could allow an attacker to overwrite critical files in the host and to exfiltrate backup files. Furthermore, Docker instances within the appliance have read/write access to critical mount points, allowing an attacker to take over the appliance by replacing binaries in specific directories.Advertisement. Scroll to continue reading.
Overall, SANnav uses 40 different Docker instances, and the researcher identified several vulnerabilities in them, including the fact that four instances have extensive permissions that could allow an attacker to take control of the appliance.
Additionally, Barre discovered that backup files expose credentials and configuration information and can be retrieved and mounted on malicious appliances, that SANnav has inconsistent firewall rules and insecure file permissions, that Kafka can be reached from the WAN interface, and that the appliance uses hardcoded SSH and Docker keys.
Barre initially discovered the flaws in 2022, in SANnav version 2.1.1, but his report was rejected, as Brocade had already released version 2.2.2 of the application and that had not been tested by the researcher. After confirming that the bugs were still present in the newer release, he re-submitted the report in May 2023.
The storage networking solutions provider acknowledged the issues and patched them in SANnav version 2.3.1, which was released in December 2023. Last week, Brocade parent company Broadcom published advisories detailing nine of the addressed flaws.
On April 18, Hewlett Packard Enterprise (HPE) announced that patches for eight of these flaws were included in HPE SANnav Management Portal versions 2.3.0a and 2.3.1.
Related: CrushFTP Patches Exploited Zero-Day Vulnerability
Related: Cisco Says PoC Exploit Available for Newly Patched IMC Vulnerability
Related: Brocade Vulnerabilities Could Impact Storage Solutions of Several Major Companies

Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy.
Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit edge-case vulnerabilities. Instead, they often use commonly available tools and exploit multiple vulnerability points. By simulating a real-world network attack, security teams can test their detection systems, ensure they have multiple choke points in place, and demonstrate the value of networking security to leadership.
In this article, we demonstrate a real-life attack that could easily occur in many systems. The attack simulation was developed based on the MITRE ATT&CK framework, Atomic Red Team, Cato Networks’ experience in the field, and public threat intel. In the end, we explain why a holistic security approach is key for network security.
The Importance of Simulating a Real-life Network Attack
There are three advantages to simulating a real attack on your network:

You can test your detections and make sure they identify and thwart attacks. This is important for dealing with run-of-the-mill attacks, which are the most common types of attacks.
Real attacks help you demonstrate that defense relies on multiple choke points. An attack is almost never the result of a single point of failure, and therefore, a single detection mechanism isn’t enough.
Real attacks help you demonstrate the importance of network monitoring to your leadership. They show how real visibility into the network provides insights into breaches, allowing for effective mitigation, remediation, and incident response.

The Attack Flow
The attack flow demonstrated below is based on six steps:

Initial Access
Ingress Tool Transfer
Discovery
Credential Dumping
Lateral Movement and Persistence
Data Exfiltration

These steps were chosen since they exemplify common techniques that are ubiquitous in attacks.
Now, let’s dive into each step.1. Initial Access

The attack begins with spear-phishing, which establishes initial entry into the network. For example, with an email sent to an employee with a lucrative job offer. The email has an attached file. In the backend, the malicious attachment in the email runs a macro and exploits a remote code execution vulnerability in Microsoft Office with a Hoaxshell, which is an open-source reverse shell.
According to Dolev Attiya, Staff Security Engineer for Threats at Cato Networks, “A defense-in-depth strategy could have been useful as early as this initial access vector. The phishing email and the Hoaxsheel could have been caught through an antivirus engine scanning the email gateway, an antivirus on the endpoint or through visibility into the network and catching command and control of the network artifact generated by the malicious document. Multiple controls increase the chance of catching the attack.”

2. Ingress Tool Transfer

Once access is gained, the attacker transfers various tools into the system to assist with further stages of the attack. This includes Powershell, Mimikatz, PSX, WMI, and additional tools that live off the land.
Attiya adds, “Many of these tools are already inside the Microsoft Windows framework. Usually, they are used by admins to control the system, but attackers can use them as well for similar, albeit malicious, purposes.” 3. Discovery

Now, the attacker explores the network to identify valuable resources, like services, systems, workstations, domain controllers, ports, additional credentials, active IPs, and more.
According to Attiya, “Think of this step as if the attacker is a tourist visiting a large city for the first time. They are asking people how to get to places, looking up buildings, checking street signs, and learning to orient themselves. This is what the attacker is doing.”
4. Credential Dumping

Once valuable resources are identified the previously added tools are used to extract credentials for multiple users to compromised systems. This helps the attacker prepare for lateral movement.5. Lateral Movement and Persistence

With the credentials, the attacker moves laterally across the network, accessing other systems. The attacker’s goal is to expand their foothold by getting to as many users and devices as possible and with as high privileges as possible. This enables them to hunt for sensitive files they can exfiltrate. If the attacker obtains the administrator’s credentials, for example, they can obtain access to large parts of the network. In many cases, the attacker might proceed slowly and schedule tasks for a later period of time to avoid being detected. This allows attackers to advance in the network for months without causing suspicion and being identified.

Etay Maor, Sr. Director of Security Strategy, says “I can’t emphasize enough how common Mimikatz is. It’s extremely effective for extracting passwords, and breaking them is easy and can take mere seconds. Everyone uses Mimikatz, even nation-state actors.”
6. Data Exfiltration
Finally, valuable data is identified. It can be extracted from the network to a file-sharing system in the cloud, encrypted for ransomware, and more.
How to Protect Against Network Attacks
Effectively protecting against attackers requires multiple layers of detection. Each layer of security in the kill chain must be strategically managed and holistically orchestrated to prevent attackers from successfully executing their plans. This approach helps anticipate every possible move of an attacker for a stronger security posture.
To watch this entire attack and learn more about a defense-in-depth strategy, watch the entire masterclass here.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Apr 25, 2024NewsroomCryptocurrency / Cybercrime
The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds.
To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business from 2015 through February 2024. Rodriguez and Hill face a maximum sentence of 25 years in prison each.
Rodriguez, the CEO of the company, and CTO Hill intentionally designed Samourai to help “criminals to engage in large-scale money laundering and sanctions evasion,” while ostensibly marketing as a privacy-oriented service, the DoJ said.
Samourai laundered money from illegal dark web marketplaces, including Silk Road and Hydra, as well as spear-phishing schemes and scams aimed at defrauding multiple decentralized finance protocols.

The operation, which also involved law enforcement agencies from Iceland and Portugal, along with Europol, saw its digital infrastructure confiscated and its Android app pulled from the Google Play Store in the U.S. Hill, who was apprehended in Portugal, is awaiting his extradition to the U.S. Rodriguez was taken into custody in Pennsylvania.
Samourai offered a cryptocurrency mixing service known as Whirlpool to help users conceal the cryptocurrency transaction trail, in addition to incorporating an “exclusive transaction type” called Ricochet Send that made it possible to add intermediate hops when sending cryptocurrency from one address to another.
Whirlpool was advertised as a way to “mathematically disassociate the ownership of inputs to outputs in a given bitcoin transaction,” which they claimed increases the privacy of the users involved, protects against financial surveillance, and improves the fungibility of the Bitcoin network.
“Ricochet defends against bitcoin blacklists by adding additional decoy transactions between the initial send and eventual recipient,” according to the official documentation. “You should consider using Ricochet when sending to Bitcoin Exchanges, and companies that are known to close accounts for flimsy reasons.”
The feature is engineered to prevent law enforcement and/or cryptocurrency exchanges from recognizing that a particular batch of cryptocurrency originated from criminal activity, the DoJ alleged.

Besides openly courting users (e.g., Russian oligarchs) to circumvent sanctions and launder criminal proceeds through Samourai on their X (formerly Twitter) account, the defendants have also been found transmitting to investors marketing materials that described how its user base was intended to include online gamblers and criminals who need the anonymity to conduct their illegal activities.
“Rodriguez and Hill acknowledge that its revenues will be derived from ‘Dark/Grey Market participants’ seeking to ‘swap their bitcoins with multiple parties’ to avoid detection,” the DoJ said.
The arrests come weeks after a former security engineer named Shakeeb Ahmed was sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million, which were then laundered using Samourai Whirlpool.
Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.