archive

Surge Collect

  1. Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices

    Last month, Volexity reported on its discovery of zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor Volexity tracks as UTA0218. Palo Alto Networks released an advisory and threat protection signature for the vulnerability within 48 hours of Volexity’s disclosure of the issue to Palo Alto Networks, with official patches and fixes following soon after. Volexity has conducted several additional incident response investigations and proactive analyses of Palo Alto Networks firewall devices since the initial two cases described in Volexity’s blog post. These recent investigations were based primarily on data collected from customers generating a tech support file (TSF) from their devices and providing them to Volexity. From these investigations and analyses, Volexity has observed the following: Shortly after the advisory for CVE-2024-3400 was released, scanning and exploitation of the vulnerability immediately increased. The uptick in exploitation appears to have been associated […]

  2. Surge Collect Provides Reliable Memory Acquisition Across Windows, Linux, and macOS

    Over the last 10 years, memory acquisition has proven to be one of the most important and precarious aspects of digital investigations.  Unfortunately, many investigators blindly trust free and commercial tools without understanding the associated risks and limitations. Consequently, they often end up with corrupt memory samples, or they crash systems containing volatile data that is critical to their investigations.  While these tools may be readily accessible, many are unsupported or have been effectively abandoned by their original developers. In addition, a recent empirical study showed that most open source or commercial Windows memory acquisition tools either failed to collect or crashed systems with modern security features enabled. Based on user feedback, we determined there was a growing need within the industry to provide reliable and actively supported memory acquisition capabilities across Windows, Linux, and macOS. Acquisition Challenges When we set out to develop Volatility, we decided to focus our […]