Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Palo Alto. Show all posts
Vulnerabilities and Exploits
CISA Issues CyberCrime Cybersecurity Cyberthreats Palo Alto Threats Exploitations Vulnerabilities and Exploits

CISA Issues Alert on Ongoing Exploitation of Palo Alto Networks Bugs

 


A report released by the Cybersecurity and Infrastructure Security Agency, a nonprofit organization that monitors and analyzes threats to the nation's infrastructure, found that Palo Alto Networks' firewall management software was actively exploited in the wild on Thursday. These attacks followed last week's attacks that exploited flaws in similar software. Attackers can exploit the unauthenticated command injection vulnerability (CVE-2024-9463) and the SQL injection vulnerability (CVE-2024-9465) to gain access to unpatched systems running the company's Expedition migration tool. 

This tool allows users to migrate configurations from Checkpoint, Cisco, and other supported vendors to new systems. CVE-2024-9463 is a vulnerability that allows attackers to run arbitrary commands as root on a PAN-OS firewall system, revealing usernames, cleartext passwords, device configurations, and device API keys. Secondly, a second vulnerability can be exploited to gain access to Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems by exploiting this vulnerability. 

There is important information in CVE-2024-9474 that could lend itself to a chained attack scenario, potentially resulting in a high level of security breach. It should be noted that Palo Alto Networks has publicly acknowledged the CVE, but has not yet provided detailed technical information on the vulnerability's mechanics. This leaves room for speculation regarding what is causing the vulnerability.

A spokesperson for Palo Alto Networks (PAN) confirmed patches were available to address these security vulnerabilities, and stated the company is "monitoring a limited set of exploit activities" and is working with external researchers, business partners, and customers to share information in a timely fashion. It was reported to CISA that CVE-2024-5910 had been added to the KEV catalog on Nov. 7 but the software vendor had originally disclosed the bug back in July. 

To exploit this vulnerability, there needs to be authentication within the firewall deployment and management software. Without authentication, an administrator account can be taken over by getting access to the network. There is a CVSS score of 9.3 for the vulnerability, and it is also reported to Palo Alto Networks as PAN-SA-2024-0015, as well. As a result, Palo Alto Networks has continuously monitored and worked with customers to identify and minimize the very few PAN-OS devices that have management web interfaces that are exposed to the Internet or other untrusted networks," the company stated in a separate report describing indicators of compromise for attacks that are targeting the vulnerability. 

Although the company claims these zero-days are only impacting a "very small number" of firewalls, threat monitoring platform Shadowserver reported on Friday that it monitors more than 8,700 outside management interfaces for the PAN-OS operating system. A Palo Alto Networks security advisory from early October states, "Several vulnerabilities have been identified in Palo Alto Networks Expedition that allow unauthorized access to the Expedition database and the arbitrary files on the system, as well as the ability to write arbitrary files to temporary storage locations." 

In addition, the advisory stated that the firewall, Panorama, Prisma Access, and Cloud NGFW products are not affected by these vulnerabilities. Even though the two vulnerabilities have been added to CISA's Known Exploited Vulnerabilities Catalog, a binding operational directive (BOD 22-01) has compelled federal agencies to patch Palo Alto Networks Expedition servers on their networks within three weeks, by December 5, to comply with the binding directive. 

Earlier this week, CISA issued a warning about yet another Expedition security hole that is capable of allowing threat actors to reselect and reset the credentials for application administrators. The security flaw (CVE-2024-5910) was patched in July and has been actively exploited in attacks. In a proof-of-concept exploit released by Horizon3.ai researcher Zach Hanley last month, he demonstrated that CVE-2024-5910 can be chained with an additional command injection vulnerability (CVE-2024-9464), that was patched in October, to allow an attacker to execute arbitrary commands on vulnerable Expedition servers that are exposed to the Internet. 

It has been noted that CVE-2024-9464 is linked to other Expedition security vulnerabilities that were also addressed last month. This may allow firewall admins to take over unpatched PAN-OS firewalls if they have not yet been patched. As of now, there seems to be a hotfix available for those who are concerned about being exploited, and those who are concerned should upgrade their Expedition tool to version 1.2.96, or higher. 

It has been recommended by Palo Alto Networks that, those users who are unable to install the Expedition patch immediately, should restrict access to the Expedition network to approved hosts and networks. It is crucial to note that when a vulnerability is added to KEV, not only does it introduce the possibility of an attack that exploits that vulnerability, but also that federal agencies have a deadline to either patch it or stop utilizing the flawed solution entirely. 

There is usually a deadline for that, which is 21 days from the time the bug is added to the bug-tracking system. There has recently been an addition to KEV of CVE-2024-5910, a bug that is described as being missing for crooks who have access to networks. This is Palo Alto Networks Expedition, a tool designed to simplify and automate the complexity of using Palo Alto Networks' next-generation firewalls by optimizing security policies that apply to them. In addition to making it easier for users to migrate from legacy firewall configurations to Palo Alto Networks' security platforms, users can also minimize errors and manual efforts. 

The Palo Alto Networks (PAN) management interface has recently been redesigned to provide a more secure experience for users. A report claiming an unverified remote code execution vulnerability via the PAN-OS management interface prompted the company to release an information bulletin. Those interested in knowing more about hardening network devices are urged to review PCA's recommendations for hardening network devices, and PCA's instructions for gaining access to scan results for the Organization's internet-facing management interfaces are discouraged from following them.
Read more »
VPN
Data Leak malware Middle East Palo Alto VPN

Threat Actors Install Backdoor via Fake Palo Alto GlobalProtect Lure

 

Malware disguising itself as the authentic Palo Alto GlobalProtect Tool is employed by malicious actors to target Middle Eastern firms. This malware can steal data and run remote PowerShell commands to further penetrate company networks. A reliable security solution from Palo Alto Networks that supports multi-factor authentication and offers secure VPN access is called Palo Alto GlobalProtect. 

The tool is frequently used by businesses to guarantee that partners, contractors, and distant workers may securely access private network resources. By utilising Palo Alto GlobalProtect as bait, it is evident that attackers target high-value business entities that use enterprise software, as opposed to random users.

Trend Micro researchers have not been able to figure out how the malware is delivered, but based on the bait employed, they believe the attack begins with a phishing email. It checks for indicators of running in a sandbox before executing its main code. Then it sends profile information about the compromised system to the command and control (C2) server. 

As an additional evasion layer, the malware encrypts the strings and data packets that will be exfiltrated to the C2. The C2 IP detected by Trend Micro used a newly registered URL containing the "sharjahconnect" string, making it appear to be a legal VPN connection portal for Sharjah-based offices in the United Arab Emirates. Given the campaign's targeting scope, this choice allows the threat actors to blend in with normal operations while minimising warning signs that could raise the victim's suspicion. 

Using the Interactsh open-source tool, beacons are sent out at regular intervals to communicate the malware status with threat actors during the post-infection phase. While Interactsh is a legal open-source tool employed by pentesters, its linked domain, oast.fun, has already been spotted in APT-level operations, such as the APT28 campaigns. However, no attribution was provided in this operation involving the Palo Alto product lure. 

The following commands were received from the command and control server: 

  • time to reset: Stops malware operations for a specified duration. 
  • pw: Implements a PowerShell script and sends the result to the hacker's server.
  • pr wtime: Reads or writes a wait time to a file. 
  • pr create-process: Starts a new process and returns the output.
  • pr dnld: Downloads a file from a specified URL. 
  • pr upl: Uploads a file to a remote server. 
  • invalid command type: Returns this message if an unrecognized or erroneous command is encountered.

Trend Micro reports that, while the attackers are unknown, the operation looks to be highly targeted, with unique URLs for the targeted companies and newly established C2 domains to avoid blocklists.
Read more »
Technology
Crypto Attack Digital Money online money Palo Alto Technology

RedTail Cryptominer Exploits Critical Zero-Day in PAN-OS

A new wave of cyberattacks has been reported, leveraging a critical zero-day vulnerability in Palo Alto Networks’ firewall software, PAN-OS. The flaw, identified as CVE-2024-3400 and assigned a maximum CVSS score of 10.0, enables unauthenticated attackers to execute arbitrary code with root privileges, significantly compromising the security of affected systems. 

Researchers from Akamai have observed that the RedTail cryptomining malware is exploiting this vulnerability. The malware is notably sophisticated, exhibiting a deep understanding of cryptomining operations. Unlike typical cryptomining software that uses public mining pools, RedTail’s operators have established private mining pools or proxies. This approach allows for greater control over mining outcomes despite the higher operational and financial costs involved. 

Updated Tools and Techniques: The latest version of RedTail, active since late April, includes several updated tools: 

Encrypted Mining Configuration: This adds a layer of security and obfuscation to the malware's operations. 

Self-Process Debugging: A tactic to evade analysis and hinder detection. Cron Job Integration: Ensures persistence by automatically restarting the malware after the system reboots. 

Usage of RandomX Algorithm: Boosts mining efficiency. Alteration of System Configuration: Employs hugepages to optimize memory usage and performance. 

Akamai's security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik reported, "There are many glossy cryptominers out there, but seeing one with this level of polish is uncommon. The investments required to run a private cryptomining operation are significant, including staffing, infrastructure, and obfuscation. This sophistication may be indicative of a nation-state–sponsored attack group. For any business, there is ongoing testing and evolution to ensure that the product (in this case, malware) is successful, which is unlikely to be done without some type of substantial financial backing. The malware was likely quite profitable if it garnered this degree of attention from a sophisticated group.” 

It Is Not Done Yet 

The threat actors behind RedTail are not solely dependent on the PAN-OS vulnerability. They also exploit various other vulnerabilities across different platforms and devices, including SSL-VPNs, IoT devices, web applications, and security appliances like Ivanti Connect Secure. 

What You Can Do?

In response to this threat, Akamai advises using the Akamai App & API Protector for enhanced security measures. Organizations should identify and patch all vulnerable Palo Alto devices to mitigate the risk posed by the CVE-2024-3400 flaw. Hardening devices against various types of cyberattacks, including web platform attacks, command injections, and local file inclusion, is recommended.
Read more »
Vulnerabilities and Exploits
NSFW Palo Alto PAN-OS Vulnerabilities and Exploits

Palo Alto Next Generation Firewall Detected With Four Vulnerabilities

 

Details of a series of bugs in Palo Alto Firewall Software, which the network provider addressed last September, were revealed by security researchers recently. The four-vulnerability swarm of bugs contains many bugs within, found by protection experts in Positive Technologies in the Palo Alto PAN-OS operating system. The next-generation firewall (NGFW) from Palo Alto Networks is the leading corporate firewall used to protect businesses from many cyber threats worldwide. It works with its own "PAN-OS" operating system. 

Palo Alto Networks, Inc. is an American, international, Santa Clara, California-based, cybersecurity corporation. Its key offerings are a portal for integrated firewalls and cloud-based offers to broaden these firewalls into other security dimensions. 

The vulnerabilities detected could lead to arbitrary OS command execution by an authorized user CVE-2020-2037 and CVE-2020-2038 – denial of service by an unauthorized user (CVE-2020-2039), and reflected cross-site scripting (XSS) (CVE-2020-2036). The weakness of CVE-2020-2037 was caused by the absence of user input filters. These may have contributed to remote code execution (RCE), but only pre-authorized users were limited to service, minimizing overall risk. These vulnerabilities allow an attacker to acquire access to sensitive information, to interrupt firewall component availability, or to access internal network segments. A black box examination of the web control interface of the firewall found, that the first vulnerability was triggered by a lack of user input filtering. PHP scripts manage user requests and transfers all data relating to a local port listening facility. It searches the data and returns the findings to the web application customer. 

“Using these vulnerabilities, an attacker can gain access to sensitive data, disrupt the availability of firewall components or gain access to internal network segments,” the researchers stated.

Unauthenticated users can carry out Denial-of-Service (DoS) attacks with a different vulnerability. The Nginx application platform is built into the firewall. The bug causes several files to be transferred to this server in such a manner that no storage space is left. The Palo Alto Networks NGFW site control panel is no longer available without any disk space resources. This is essentially a denial of service since the system as a whole cannot usually be used in this situation.

“We tried to open the web management interface but could not log in,” the researchers explained. “Most likely, this happened because PHP failed to create a session file on disk, due to the lack of disk space available. As a result, we were able to conduct a DoS attack on Palo Alto NGFW components acting as an unauthenticated user.” 

The fourth vulnerability involved a reflective XSS vulnerability exposed in the /unauth/php/change_password.php script. This script uses the user-controlled vector $_SERVER['PHP SELF'].

Though all four of the bugs are fixed, but each of these affected separate versions of PAN-OS, so the safest recommendation for sysadmins is to update to the current edition of the supported product.
Read more »
Subscribe to: Posts (Atom)