Apr 15, 2024NewsroomFirewall Security / Vulnerability

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild.

Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.

Fixes for the shortcoming are available in the following versions –

• PAN-OS 10.2.9-h1
• PAN-OS 11.0.4-h1, and
• PAN-OS 11.1.2-h3

Patches for other commonly deployed maintenance releases are expected to be released over the next few days.

“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,” the company clarified in its updated advisory.

It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400, specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are affected.

The exact origins of the threat actor exploiting the flaw are presently unknown but Palo Alto Networks Unit 42 is tracking the malicious activity under the name Operation MidnightEclipse.

Volexity, which attributed it to a cluster dubbed UTA0218, said CVE-2024-3400 has been leveraged since at least March 26, 2024, to deliver a Python-based backdoor called UPSTYLE on the firewall that allows for the execution of arbitrary commands via specially crafted requests.

It is unclear how widespread the exploitation has been, but the threat intelligence firm said it has “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems.”

In attacks documented to date, UTA0218 has been observed deploying additional payloads to launch reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool named GOST (GO Simple Tunnel).

No other follow-up malware or persistence methods are said to have been deployed on victim networks, although it’s unknown if it’s by design or due to early detection and response.

Apr 03, 2024NewsroomMobile Security / Zero Day

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.

The high-severity zero-day vulnerabilities are as follows –

• CVE-2024-29745 – An information disclosure flaw in the bootloader component
• CVE-2024-29748 – A privilege escalation flaw in the firmware component

“There are indications that the [vulnerabilities] may be under limited, targeted exploitation,” Google said in an advisory published April 2, 2024.

While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they “are being actively exploited in the wild by forensic companies.”

“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking,” they said in a series of posts on X (formerly Twitter).

“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.”

GrapheneOS noted that CVE-2024-29748 could be weaponized by local attackers to interrupt a factory reset triggered via the device admin API.

The disclosure comes more than two months after the GrapheneOS team revealed that forensic companies are exploiting firmware vulnerabilities that impact Google Pixel and Samsung Galaxy phones to steal data and spy on users when the device is not at rest.

It also urged Google to introduce an auto-reboot feature to make exploitation of firmware flaws more difficult.

Mar 27, 2024NewsroomVulnerability / Data Security

Cybersecurity researchers are warning that threat actors are actively exploiting a “disputed” and unpatched vulnerability in an open-source artificial intelligence (AI) platform called Anyscale Ray to hijack computing power for illicit cryptocurrency mining.

“This vulnerability allows attackers to take over the companies’ computing power and leak sensitive data,” Oligo Security researchers Avi Lumelsky, Guy Kaplan, and Gal Elbaz said in a Tuesday disclosure.

“This flaw has been under active exploitation for the last seven months, affecting sectors like education, cryptocurrency, biopharma, and more.”

The campaign, ongoing since September 2023, has been codenamed ShadowRay by the Israeli application security firm. It also marks the first time AI workloads have been targeted in the wild through shortcomings underpinning the AI infrastructure.

Ray is an open-source, fully-managed compute framework that allows organizations to build, train, and scale AI and Python workloads. It consists of a core distributed runtime and a set of AI libraries for simplifying the ML platform.

It’s used by some of the biggest companies, including OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others.

The security vulnerability in question is CVE-2023-48022 (CVSS score: 9.8), a critical missing authentication bug that allows remote attackers to execute arbitrary code via the job submission API. It was reported by Bishop Fox alongside two other flaws in August 2023.

The cybersecurity company said the lack of authentication controls in two Ray components, Dashboard, and Client, could be exploited by “unauthorized actors to freely submit jobs, delete existing jobs, retrieve sensitive information, and achieve remote command execution.”

This makes it possible to obtain operating system access to all nodes in the Ray cluster or attempt to retrieve Ray EC2 instance credentials. Anyscale, in an advisory published in November 2023, said it does not plan to fix the issue at this point in time.

“That Ray does not have authentication built in – is a long-standing design decision based on how Ray’s security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy,” the company noted.

It also cautions in its documentation that it’s the platform provider’s responsibility to ensure that Ray runs in “sufficiently controlled network environments” and that developers can access Ray Dashboard in a secure fashion.

Oligo said it observed the shadow vulnerability being exploited to breach hundreds of Ray GPU clusters, potentially enabling the threat actors to get hold of a trove of sensitive credentials and other information from compromised servers.

This includes production database passwords, private SSH keys, access tokens related to OpenAI, HuggingFace, Slack, and Stripe, the ability to poison models, and elevated access to cloud environments from Amazon Web Services, Google Cloud, and Microsoft Azure.

In many of the instances, the infected instances have been found to be hacked with cryptocurrency miners (e.g., XMRig, NBMiner, and Zephyr) and reverse shells for persistent remote access.

The unknown attackers behind ShadowRay have also utilized an open-source tool named Interactsh to fly under the radar.

“When attackers get their hands on a Ray production cluster, it is a jackpot,” the researchers said. “Valuable company data plus remote code execution makes it easy to monetize attacks — all while remaining in the shadows, totally undetected (and, with static security tools, undetectable).”

Mar 08, 2024NewsroomEndpoint Security / Network Security

Threat actors have been observed leveraging the QEMU open-source hardware emulator as tunneling software during a cyber attack targeting an unnamed “large company” to connect to their infrastructure.

While a number of legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU that has been used for this purpose.

“We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines,” Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin said.

“Each of the numerous network devices is defined by its type and supports extra options.”

In other words, the idea is to create a virtual network interface and a socket-type network interface, thereby allowing the virtual machine to communicate with any remote server.

The Russian cybersecurity company said it was able to use QEMU to set up a network tunnel from an internal host within the enterprise network that didn’t have internet access to a pivot host with internet access, which connects to the attacker’s server on the cloud running the emulator.

The findings show that threat actors are continuously diversifying their attack strategies to blend their malicious traffic with actual activity and meet their operational goals.

“Malicious actors using legitimate tools to perform various attack steps is nothing new to incident response professionals,” the researchers said.

“This further supports the concept of multi-level protection, which covers both reliable endpoint protection, and specialized solutions for detecting and protecting against complex and targeted attacks including human-operated ones.”

Mar 08, 2024NewsroomVulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting JetBrains TeamCity On-Premises software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2024-27198 (CVSS score: 9.8), refers to an authentication bypass bug that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker.

It was addressed by JetBrains earlier this week alongside CVE-2024-27199 (CVSS score: 7.3), another moderate-severity authentication bypass flaw that allows for a “limited amount” of information disclosure and system modification.

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company noted at the time.

Threat actors have been observed weaponizing the twin flaws to deliver Jasmin ransomware as well as create hundreds of rogue user accounts, according to CrowdStrike and LeakIX. The Shadowserver Foundation said it detected exploitation attempts starting from March 4, 2024.

Statistics shared by GreyNoise show that CVE-2024-27198 has come under broad exploitation from over a dozen unique IP addresses shortly after public disclosure of the flaw.

In light of active exploitation, users running on-premises versions of the software are advised to apply the updates as soon as possible to mitigate potential threats. Federal agencies are required to patch their instances by March 28, 2024.

Mar 06, 2024NewsroomVulnerability / Zero Day

Apple has released security updates to address several security flaws, including two vulnerabilities that it said have been actively exploited in the wild.

The shortcomings are listed below –

• CVE-2024-23225 – A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections

• CVE-2024-23296 – A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections

It’s currently not clear how the flaws are being weaponized in the wild. Apple said both the vulnerabilities were addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.

The updates are available for the following devices –

• iOS 16.7.6 and iPadOS 16.7.6 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

• iOS 17.4 and iPadOS 17.4 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

With the latest development, Apple has addressed a total of three actively exploited zero-days in its software since the start of the year. In late January 2024, it plugged a type confusion flaw in WebKit (CVE-2024-23222) impacting iOS, iPadOS, macOS, tvOS, and Safari web browser that could result in arbitrary code execution.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply necessary updates by March 26, 2024.

The vulnerabilities concern an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine that could result in code execution with root privileges (CVE-2021-36380).

Google, in an advisory published in June 2023, acknowledged it found indications that “CVE-2023-21237 may be under limited, targeted exploitation.” As for CVE-2021-36380, Fortinet revealed late last year that a Mirai botnet called IZ1H9 was leveraging the flaw to corral susceptible devices into a DDoS botnet.

Feb 29, 2024NewsroomRootkit / Threat Intelligence

The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.

The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of Patch Tuesday updates.

“To exploit this vulnerability, an attacker would first have to log on to the system,” Microsoft said. “An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Redmond on Wednesday revised its “Exploitability assessment” for the flaw to “Exploitation Detected.”

Cybersecurity vendor Avast, which discovered an in-the-wild admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to “perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit.”

The FudModule rootkit was first reported by ESET and AhnLab in October 2022 as capable of disabling the monitoring of all security solutions on infected hosts by means of what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack, wherein an attacker a driver susceptible to a known or zero-day flaw to escalate privileges.

What makes the latest attack significant is that it goes “beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine.” That susceptible driver is appid.sys, which is crucial to the functioning of a Windows component called AppLocker that’s responsible for application control.

The real-world exploit devised by the Lazarus Group entails using CVE-2024-21338 in the appid.sys driver to execute arbitrary code in a manner that bypasses all security checks and runs the FudModule rootkit.

“FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances,” security researcher Jan Vojtěšek said, describing the malware as under active development.

Besides taking steps to sidestep detection by disabling system loggers, FudModule is engineered to turn off specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender).

The development marks a new level of technical sophistication associated with North Korean hacking groups, continuously iterating its arsenal for improved stealth and functionality. It also illustrates the elaborate techniques employed to hinder detection and make their tracking much harder.

The adversarial collective’s cross-platform focus is also exemplified by the fact that it has been observed using bogus calendar meeting invite links to stealthily install malware on Apple macOS systems, a campaign that was previously documented by SlowMist in December 2023.

“Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors,” Vojtěšek said. “The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”

Feb 13, 2024NewsroomVulnerability / Cyber Threat

Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on susceptible devices.

That’s according to findings from Orange Cyberdefense, which said it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code.

CVE-2024-21893, which was disclosed by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication.

The Utah-based company has since acknowledged that the flaw has limited targeted attacks, although the exact scale of the compromises is unclear.

Then, last week, the Shadowserver Foundation revealed a surge in exploitation attempts targeting the vulnerability originating from over 170 unique IP addresses, shortly after both Rapid7 and AssetNote shared additional technical specifics.

Orange Cyberdefense’s latest analysis shows that compromises have been detected as early as February 3, with the attack targeting an unnamed customer to inject a backdoor that grants persistent remote access.

“The backdoor is inserted into an existing Perl file called ‘DSLog.pm,'” the company said, highlighting an ongoing pattern in which existing legitimate components – in this case, a logging module – are modified to add the malicious code.

DSLog, the implant, comes fitted with its own tricks to hamper analysis and detection, including embedding a unique hash per appliance, thereby making it impossible to use the hash to contact the same backdoor on another device.

The same hash value is supplied by the attackers to the User-Agent header field in an HTTP request to the appliance to allow the malware to extract the command to be executed from a query parameter called “cdi.” The decoded instruction is then run as the root user.

“The web shell does not return status/code when trying to contact it,” Orange Cyberdefense said. “There is no known way to detect it directly.”

It further observed evidence of threat actors erasing “.access” logs on “multiple” appliances in a bid to cover up the forensic trail and fly under the radar.

But by checking the artifacts that were created when triggering the SSRF vulnerability, the company said it was able to detect 670 compromised assets during an initial scan on February 3, a number that has dropped to 524 as of February 7.

In light of the continued exploitation of Ivanti devices, it’s highly recommended that “all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.”

Feb 07, 2024NewsroomCyber Espionage / Network Security

Chinese state-backed hackers broke into a computer network that’s used by the Dutch armed forces by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Cyber Security Centre (NCSC) said. “It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa as early as October 2022.

The development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

It also arrives days after U.S. authorities took steps to dismantle a botnet comprising out-of-date Cisco and NetGear routers that were used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

Jan 22, 2024NewsroomVulnerability / Malware

Cybersecurity researchers are warning of a “notable increase” in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.

“The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners,” Trustwave said. “Notably, despite the binary’s unknown file format, ActiveMQ’s JSP engine continues to compile and execute the web shell.”

CVE-2023-46604 (CVSS score: 10.0) refers to a severe vulnerability in Apache ActiveMQ that enables remote code execution. Since its public disclosure in late October 2023, it has come under active exploitation by multiple adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.

In the latest intrusion set observed by Trustwave, susceptible instances have been targeted by JSP-based web shells that are planted within the “admin” folder of the ActiveMQ installation directory.

The web shell, named Godzilla, is a functionality-rich backdoor capable of parsing inbound HTTP POST requests, executing the content, and returning the results in the form of an HTTP response.

“What makes these malicious files particularly noteworthy is how the JSP code appears to be concealed within an unknown type of binary,” security researcher Rodel Mendrez said. “This method has the potential to circumvent security measures, evading detection by security endpoints during scanning.”

A closer examination of the attack chain shows that the web shell code is converted into Java code prior to its execution by the Jetty Servlet Engine.

The JSP payload ultimately allows the threat actor to connect to the web shell through the Godzilla management user interface and gain complete control over the target host, facilitating the execution of arbitrary shell commands, viewing network information, and handling file management operations.

Users of Apache ActiveMQ are highly recommended to update to the latest version as soon as possible to mitigate potential threats.