Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities and Exploits. Show all posts
XE Group
CVSS CyberCrime Cyberhackers CyberThreat Microsoft Software SQL Vulnerabilities and Exploits XE Group

XE Group Rebrands Its Cybercrime Strategy by Targeting Supply Chains

 


Over the past decade, there has been a rise in the number of cyber threats targeting the country, including the XE Group, a hacker collective with Vietnamese connections. According to recent investigations, the group was responsible for exploiting two zero-day vulnerabilities in VeraCore's warehouse management platform, CVE-2025-25181 and CVE-2025-57968 known to be zero-day vulnerabilities. 

A suite of reverse shells and web shells that exploit these vulnerabilities were deployed by the adversaries, allowing them to gain remote access to targeted systems in covert ways. This development is an indication of the group's sophisticated cyber-attack techniques. Identified as CVE-2024-57968, the vulnerability is a critical upload validation vulnerability with a CVSS score of 9.9, affecting versions before 2024.4.2.1, and can allow adversaries to upload files into non-intended directories, which could result in unauthorized access to the files. 

Adventure VeraCore up to version 2025.1.0 is vulnerable to SQL injection flaw CVE-2025-25181, which could be exploited remotely to execute arbitrary SQL commands through the remote execution of SQL commands. In addition to the XE Group's past association with credit card fraud, their focus has now switched to targeted data theft, particularly within manufacturing and distribution organizations. 

Several recent attacks have been perpetrated by threat actors who exploited VeraCore security issues to install Web Shells, which allowed them to execute various malicious activities and remain persistent within compromised environments while they executed their malicious activities. The group's continued sophistication and adaptability in the cyber threat landscape is reflected in this recent report, which details a compromise of a Microsoft Internet Information Services (IIS) server where VeraCore's warehouse management system software is hosted, and it indicates the company's growing sophistication. 

Upon further analysis of this incident, it was discovered that the initial breach occurred in January 2020 as a result of a zero-day vulnerability in SQL injection. It is speculated that As a result of this exploitation, The XE Group deployed customized web shells, which researchers have described as very versatile tools that are designed to maintain persistent access inside victim environments as well as run SQL queries regarding those environments.

As an example, in the case of the compromised IIS server, the attackers reactivated a web shell that was planted four years earlier, showing that they have retained a foothold in the infrastructure targeted by them for many years. Security vendors have been warning that the XE Group is actively targeting supply chains in the manufacturing and distribution sectors. Though the group has historically been associated with extensive credit card skimming operations, it has recently gained a reputation for exploiting zero-day vulnerabilities to do more damage. 

According to researchers, the group's continued ability to adapt and increase sophistication underscores the group's ability to remain agile and sophisticated over the years. The reactivation of an older web shell indicates the group's strategic focus on achieving long-term operational objectives by maintaining long-term access to compromised systems. 

To enhance the threat investigation process, the rules have been designed to be compatible with several SIEM (Security Information and Event Management) systems, Endpoint Detection and Response systems (EDR), and Data Lake solutions aligned with the MITRE ATT&CK framework. There is a variety of metadata that is accessible in each rule, including references to cyber threat intelligence, attack timelines, triage recommendations, and audit configurations, guaranteeing that security analysis has a structured approach. 

Additionally, SOC Prime's Uncoder AI (Artificial Intelligence) capabilities enable the quick development of custom IOC-based queries that will be seamlessly integrated with SIEM and EDR platforms, thus eliminating the need for security professionals to manually search for indicators of compromise (IOCs). Intezer's analysis of XE Group activity and SOC Prime's Uncoder AI were used to achieve this.

As an alternative to the corporate-only service offered previously by Uncoder AI, customers can now benefit from Uncoder AI's full suite of capabilities, which enhances accessibility for independent risk analysis performed by individual researchers. As a consequence of the XE Group's adoption of zero-day exploits as part of their attack strategy, it became increasingly clear that adversarial techniques are becoming more sophisticated and adaptable, making it necessary to enter into proactive defence measures as soon as possible.

SOC Prime Platform is a scalable tool designed to assist organizations in enhancing their security posture, countering evolving threats effectively, and mitigating risks associated with adding more attack surfaces in an increasingly complex cyber landscape by utilizing the tools provided by the platform. The XE Group has exploited two zero-day VeraCore vulnerabilities, CVE-2025-25181 and CVE-2025-50308, in recent attacks in an attempt to deploy one or more web shells on compromised systems. 

These two vulnerabilities are critical upload validation flaws (CVSS 9.9) and SQL injection flaws (CVSS 5.7), respectively. In a report published jointly by Solis and Intezer, the researchers reported that the group exploited one of these vulnerabilities as early as January 2020 and maintained persistent access to the victim's environment for several years afterwards. There was an attempt in 2024 by some threat actors to reactivate a previously deployed web shell, demonstrating their ability to avoid detection while maintaining long-term access to compromised systems as they remain undetected. 

XE Group's evolving tactics come as part of a broader trend that threats are exploring the software supply chain as a way to achieve their goals. Some notable precedents include the SolarWinds attack, breaches into Progress Software's MOVEit file transfer product, an Okta intrusion that affected all customers, and an Accellion breach that enabled ransomware to be deployed on an organization's network.
Read more »
Vulnerabilities and Exploits
Data Privacy Locked Device Security Patch Tech Giant Vulnerabilities and Exploits

Apple Patches Zero-Day Flaw allowing Third-Party Access to Locked Devices

 

Tech giant Apple fixed a vulnerability that "may have been leveraged in a highly sophisticated campaign against specific targeted individuals" in its iOS and iPadOS mobile operating system updates earlier this week.

According to the company's release notes for iOS 18.3.1 and iPadOS 18.3.1, the vulnerability made it possible to disable USB Restricted Mode "on a locked device." A security feature known as USB Restricted Mode was first introduced in 2018 and prevents an iPhone or iPad from sending data via a USB connection if the device hasn't been unlocked for seven days. 

In order to make it more challenging for law enforcement or criminals employing forensic tools to access data on those devices, Apple announced a new security feature last year which triggers devices to reboot if they are not unlocked for 72 hours. 

Based on the language used in its security update, Apple suggests that the attacks were most likely carried out with physical control of a person's device, implying that whoever exploited this vulnerability had to connect to the person's Apple devices using a forensics device such as Cellebrite or Graykey, two systems that allow law enforcement to unlock and access data stored on iPhones and other devices. Bill Marczak, a senior researcher at Citizen Lab, a University of Toronto group that studies cyberattacks on civil society, uncovered the flaw.

However, it remains unclear who was responsible for exploiting this vulnerability and against whom it was used. However, there have been reported instances in the past in which law enforcement agencies employed forensic tools, which often exploit zero-day flaws in devices such as the iPhone, to unlock them and access the data inside.

Amnesty International published a report in December 2024 detailing a string of assaults by Serbian authorities in which they utilised Cellebrite to unlock the phones of journalists and activists in the nation before infecting them with malware. According to security experts, the Cellebrite forensic tools were probably used "widely" on members of civil society, Amnesty stated.
Read more »
Vulnerabilities and Exploits
AES-XTS Bitlocker encryption system Microsoft Vulnerabilities and Exploits

BitLocker Vulnerability Exposes Encryption Flaws: A New Challenge for Cybersecurity

 

Password theft has recently dominated headlines, with billions of credentials compromised. Amid this crisis, Microsoft has been pushing to replace traditional passwords with more secure authentication methods. However, a new vulnerability in the Windows BitLocker full-disk encryption tool has raised concerns about the security of even the most advanced encryption systems.

A medium-severity flaw in BitLocker, identified as CVE-2025-21210, has exposed the encryption system to a novel randomization attack targeting the AES-XTS encryption mode. This vulnerability highlights the increasing sophistication of cyberattacks against full-disk encryption systems. When exploited, it allows attackers to alter ciphertext blocks, causing sensitive data to be written to disk in plaintext.

Jason Soroko, Senior Fellow at Sectigo, explained the implications of this vulnerability. “BitLocker uses AES-XTS encryption to ensure that even if someone physically accesses the hard drive, they cannot easily read the data without the encryption key,” he noted. However, this new attack bypasses traditional decryption methods by manipulating how encrypted data is handled.

How the Randomization Attack Works

To illustrate the attack, Soroko used an analogy involving a library of books. “Rather than stealing or directly reading the books, the hacker subtly modifies certain pages (the ciphertext blocks) in multiple books,” he explained. While the rest of the book remains intact and unreadable, tampering with specific pages can cause the library’s system to misplace or disclose critical data.

Over time, these subtle modifications can lead to bits of data being written in plaintext, exposing sensitive information without directly breaking the encryption. “The real danger is that this method doesn’t require breaking the encryption directly,” Soroko concluded. “Instead, it manipulates how the encrypted data is handled, allowing attackers to bypass security measures and access sensitive information.”

Mitigating the Risk

To defend against such attacks, Soroko emphasized the importance of keeping encryption software up-to-date with the latest security patches. Additionally, organizations should:

  1. Restrict Physical Access: Ensure that devices with sensitive data are physically secure to prevent tampering.
  2. Monitor Systems: Regularly check for unusual activity that might indicate an attack or unauthorized access.
  3. Implement Layered Security: Combine encryption with other security measures, such as multi-factor authentication (MFA) and intrusion detection systems.

This vulnerability underscores the evolving nature of cyber threats. Even robust encryption systems like BitLocker are not immune to sophisticated attacks. As cybercriminals develop new methods to exploit vulnerabilities, organizations must remain vigilant and proactive in their cybersecurity strategies.

Microsoft’s push toward passwordless authentication is a step in the right direction, but this incident highlights the need for continuous improvement in encryption technologies. Companies must invest in advanced security solutions, regular system updates, and employee training to stay ahead of emerging threats.

The BitLocker vulnerability serves as a stark reminder that no system is entirely foolproof. As encryption technologies evolve, so do the methods used to exploit them. Organizations must adopt a multi-layered approach to cybersecurity, combining encryption with other protective measures to safeguard sensitive data. By staying informed and proactive, we can better defend against the ever-changing landscape of cyber threats.

Read more »
Vulnerabilities and Exploits
Cloudfare Discord Signal User Privacy Vulnerabilities and Exploits

Cloudflare CDN Vulnerability Exposes User Locations on Signal, Discord

 

A threat analyst identified a vulnerability in Cloudflare's content delivery network (CDN) which could expose someone's whereabouts just by sending them an image via platforms such as Signal and Discord. While the attack's geolocation capability is limited for street-level tracking, it can provide enough information to determine a person's regional region and track their activities. 

Daniel's discovery is especially alarming for individuals who are really concerned regarding their privacy, such as journalists, activists, dissidents, and even cybercriminals. This flaw, however, can help investigators by giving them further details about the state or nation where a suspect might be. 

Covert zero-click monitoring

Daniel, a security researcher, found three months ago that Cloudflare speeds up load times by caching media resources at the data centre closest to the user. 

"3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius," explained Daniel. "With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.” 

To carry out the information-disclosure assault, the researcher would transmit a message to an individual including a unique image, such as a screenshot or a profile avatar, stored on Cloudflare's CDN. 

Subsequently, he exploited a flaw in Cloudflare Workers to force queries through specific data centres via a new tool called Cloudflare Teleport. This arbitrary routing is typically prohibited by Cloudflare's default security limitations, which require that each request be routed from the nearest data centre. 

By enumerating cached replies from multiple Cloudflare data centres for the sent image, the researcher was able to map users' geographical locations based on the CDN returning the closest airport code to their data centre.

Furthermore, since many apps, like Signal and Discord, automatically download images for push notifications, an attacker can monitor a target without requiring user engagement, resulting in a zero-click attack. Tracking accuracy extends from 50 to 300 miles, depending on the location and the number of Cloudflare data centers nearby.
Read more »
WireGuard
IPsec Security VPN Vulnerabilities and Exploits WireGuard

Critical Flaws in VPN Protocols Leave Millions Vulnerable

 


Virtual Private Networks (VPNs) are widely trusted for protecting online privacy, bypassing regional restrictions, and securing sensitive data. However, new research has uncovered serious flaws in some VPN protocols, exposing millions of systems to potential cyberattacks.

A study by Top10VPN, conducted in collaboration with cybersecurity expert Mathy Vanhoef, highlights these alarming issues. The research, set to be presented at the USENIX 2025 Conference, reveals vulnerabilities in VPN tunnelling protocols affecting over 4 million systems worldwide. Impacted systems include:

  • VPN servers
  • Home routers
  • Mobile networks
  • Corporate systems used by companies such as Meta and Tencent

The Problem with VPN Tunneling Protocols

Tunneling protocols are essential mechanisms that encrypt and protect data as it travels between a user and a VPN server. However, the study identified critical weaknesses in specific protocols, including:

  • IP6IP6
  • GRE6
  • 4in6
  • 6in4

These vulnerabilities allow attackers to bypass security measures by sending manipulated data packets through the affected protocols, enabling unauthorized access and a range of malicious activities, such as:

  • Denial-of-Service (DoS) attacks disrupting systems
  • Stealing sensitive information by breaching private networks
  • Undetected repeated infiltrations

Advanced encryption tools like IPsec and WireGuard play a crucial role in safeguarding data. These technologies provide strong end-to-end encryption, ensuring data is decoded only by the intended server. This added security layer prevents hackers from exploiting weak points in VPN systems.

The vulnerabilities are not confined to specific regions. They predominantly affect servers and services in the following countries:

  • United States
  • Brazil
  • China
  • France
  • Japan

Both individual users and large organizations are impacted, emphasizing the need for vigilance and regular updates.

How to Stay Protected

To enhance VPN security, consider these steps:

  1. Choose a VPN with strong encryption protocols: Look for services that utilize tools like IPsec or WireGuard.
  2. Regularly update your VPN software: Updates often include patches for fixing vulnerabilities.
  3. Research your VPN provider: Opt for reputable services with a proven track record in cybersecurity.

This research serves as a critical reminder: while VPNs are designed to protect privacy, they are not immune to flaws. Users must remain proactive, prioritize robust security features, and stay informed about emerging vulnerabilities.

By taking these precautions, both individuals and organizations can significantly reduce the risks associated with these newly discovered VPN flaws. Remember, no tool is entirely foolproof — staying informed is the key to online safety.

Read more »
Vulnerabilities and Exploits
CyberCrime Cyberfrauds Cybersecurity Cyberthreats Darkweb Databreach Hackers Vulnerabilities and Exploits

FortiGate Vulnerability Exposes 15,000 Devices to Risks

 



Fortinet Firewall Data Breach: 15,000 Devices Compromised by Belsen Group

On January 14, 2025, it was reported that the configuration data of over 15,000 Fortinet FortiGate firewalls was leaked on the dark web. The hacker group, identified as Belsen, shared this data for free on its newly created TOR website. The leaked information includes full firewall configurations, plaintext VPN credentials organized by IP address and country, serial numbers, management certificates, and other sensitive data. This breach poses a significant security risk to affected organizations, as it enables attackers to compromise internal networks with ease.

Exploitation of Critical Vulnerabilities

According to cybersecurity analysts, the Belsen Group exploited a zero-day vulnerability, identified as CVE-2022-40684, to obtain the leaked data. This vulnerability, published in 2022, allowed attackers to bypass administrative authentication through specially crafted HTTP/HTTPS requests. By leveraging this flaw, the attackers exfiltrated configuration files containing sensitive details such as passwords, firewall rules, and advanced settings. These files, though obtained in 2022, remained undisclosed until January 2025, significantly increasing the risk exposure for affected organizations.

In response to this ongoing threat, Fortinet released patches for CVE-2022-40684 and announced a new critical authentication bypass vulnerability, CVE-2024-55591, on the same day the leak was disclosed. This new vulnerability is being actively exploited in campaigns targeting FortiGate firewalls, particularly those with public-facing administrative interfaces. Devices running outdated FortiOS versions are especially at risk.

Impact and Recommendations

The leaked configuration files provide a comprehensive map of victim networks, including firewall rules and administrator credentials. Threat actors can exploit this information to:

  • Bypass perimeter defenses and gain unauthorized access to internal networks.
  • Deploy ransomware, perform lateral movement, and exfiltrate sensitive data.
  • Identify additional vulnerabilities within the network architecture to maximize attack impact.

Organizations affected by this breach must take immediate action to mitigate risks. This includes:

  • Updating credentials for all compromised devices.
  • Applying the latest security patches, including fixes for CVE-2022-40684 and CVE-2024-55591.
  • Conducting thorough security audits to identify and address additional vulnerabilities.

Cybersecurity expert Kevin Beaumont has announced plans to release an IP list from the leak to help FortiGate administrators determine if their devices were affected. Meanwhile, security firms like CloudSEK and Arctic Wolf have emphasized the importance of prioritizing updates and vigilance against future exploitation campaigns.

Fortinet devices' history of vulnerabilities has made them frequent targets for cybercriminals and nation-state actors. Addressing these security gaps is crucial to preventing further breaches and protecting sensitive organizational data.

Read more »
Windows Security
Bitlocker Security flaw TPM Vulnerabilities and Exploits Windows Security

TPM-Equipped Devices Trigger Warnings Due to a Windows BitLocker Flaw

 

Microsoft is examining a flaw that activates security alerts on systems equipped with a Trusted Platform Module (TPM) processor after enabling BitLocker. 

A Windows security feature called BitLocker encrypts storage discs to guard against data leakage or theft. Redmond claims that when combined with a TPM, it "provides maximum protection" "to ensure that a device hasn't been tampered with while the system is offline.”  

TPMs are specialised security processors that offer hardware-based security features and serve as reliable hardware parts for storing private data, including encryption keys and other security credentials.

The company stated in a notice issued past week that unmanaged devices, or BYOD (bring your own device), are also impacted by this known vulnerability. These are typically privately held devices utilised in business settings that can be secured or onboard using methods provided by the IT or security department of each firm.  

Users of vulnerable Windows 10 and 11 PCs will notice a "For your security, some settings are managed by your administrator" alert "in the BitLocker control panel and other places in Windows.” 

The tech giant noted that it is currently working on a fix and will provide further details regarding the flaw when it has more information. In April 2024, Microsoft resolved another issue that led to faulty BitLocker drive encryption issues in select managed Windows environments. In October 2023, the company classified this as a reporting issue with no impact on drive encryption.  

Microsoft revealed in June 2021 that TPM 2.0 is required for installing or upgrading to Windows 11, claiming that it will make PCs more resistant to manipulation and sophisticated cyberattacks. However, this has not prevented Windows users from developing a variety of tools, programs, and strategies to circumvent it. 

More than three years later, in December 2024, Redmond emphasised that TPM 2.0 compliance is a "non-negotiable" condition, as consumers will be unable to upgrade to Windows 11 without it. According to Statcounter Global data, more than 62% of all Windows computers globally are still using Windows 10, with less than 34% on Windows 11 three years after its October 2021 launch. 
Read more »
Vulnerabilities and Exploits
Cyberfrauds CyberThreat Cyercrime Cyersecurity Email Phishing Vulnerabilities and Exploits

Millions of Email Servers Found Vulnerable in Encryption Analysis

 


In a new study published by ShadowServer, it was revealed that 3.3 million POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) servers are currently at risk of network sniffing attacks because they are not encrypting their data using TLS. 

Using IMAP, users can access their emails from different devices, while keeping messages on the server. With POP3, however, the messages are downloaded to one specific device, which restricts access to that particular device, resulting in IMAP and POP3 being used to access email. Mail servers can be accessed through two different methods: POP3 and IMAP. POP3 is a way to access email through a server. 

A good reason to use IMAP is that it stores users' emails on the server and synchronizes them across all their devices. This allows them to check their inbox across multiple devices, such as laptops and phones. However, POP3 works by downloading emails from the server and making them only accessible from the device from which they were downloaded. Additionally, there is no denying that many hosting companies configure POP3 and IMAP services by default, even though most users do not use them. 

It is important to note that it is very common to have those services configured by default. To ensure that TLS is enabled, and all email users use the latest version of the protocol, the organization advised them to check with their email provider. With the latest versions of Apple, Google, Microsoft, and Mozilla email platforms, users can rest assured that their information is already protected thanks to the TLS encryption protocol. 

To securely exchange and access emails across the Internet using client/server applications, the TLS secure communication protocol helps secure users' information while exchanging and accessing. In the absence of TLS encryption, the messages' content and credentials are sent in clear text, making them susceptible to network sniffing attacks that could eavesdrop on them. In the sense of a security protocol, TLS, or Transport Layer Security, is an Internet-based security protocol used for secure web browsing as well as encrypting emails, file transfers, and messaging messages. It is used to provide end-to-end security between applications over the Internet. 

It is the role of TLS to keep hackers away from sniffing the network, encrypting users' email credentials and message contents instead of sending them as plain text, which helps to prevent hackers from sniffing the network. As an alternative to TLS encryption, it is also possible for anyone to sniff out that information without encryption. To find out 3.3 million hosts that do not support TLS, ShadowServer scanned the internet for POP3 services running on ports 110 and 995. 

As of 2006, there has been widespread use of TLS 1.1 as an improvement over TLS 1.0, which had been introduced to the market in 1999, and TLS 1.0 remained in use until this very day. Having discussed and developed 28 protocol drafts, the Internet Engineering Task Force (IETF) approved TLS 1.3, the next major version of the TLS protocol, in March of 2018, after extensive discussions and development of 28 drafts. 

Without TLS, passwords for mail access could be intercepted, and exposed services could allow a password-guessing attack on the server, and without TLS, passwords could be intercepted, and the server could suffer from password-guessing attacks. Hosts can be eavesdropping on network sniffer attacks if credentials and message content are sent in clear text without encryption. 

It is estimated that about 900,000 of these sites reside in the United States with over 500,000 being in Germany and Poland with 380,000 being in Germany. However according to the researchers, no matter whether TLS is enabled or not, service exposure could result in a password-guessing attack against the server. As part of the coordinated announcement made by Microsoft, Google, Apple, and Mozilla in October 2018 informing the public that insecure TLS 1.0 and TLS 1.1 protocols would be retired in 2020, Microsoft, Google, Apple, and Mozilla announced their intentions. As of August 2020, the latest Windows 10 Insider builds have begun using TLS 1.3 by default. 

The National Security Agency also released a guide in January 2021 detailing how outdated versions of the TLS protocol, configurations, and versions can be identified and replaced with current, secure solutions. As a ShadowServer foundation spokesperson pointed out, “regardless of whether TLS is enabled or not, service exposure may enable password guessing attacks against the server regardless of whether TLS is enabled.” 

Email users are urged to make sure that their email service provider indeed enables TLS and that their email service provider is using the current version of the protocol. Regardless of whether they are using Apple, Google, Microsoft, or Mozilla email platforms, users need not be worried since they all support TLS and use the latest versions of it.
Read more »
Vulnerabilities and Exploits
DNS security issue firewall vulnerability malicious packets manual intervention Palo Alto Networks PAN-OS update Vulnerabilities and Exploits

Palo Alto Networks Alerts on Exploit Causing Firewall Vulnerabilities

 

Palo Alto Networks has issued a warning about the active exploitation of the CVE-2024-3393 denial of service (DoS) vulnerability, which attackers are using to compromise firewall defenses by triggering device reboots.

Repeated exploitation of this vulnerability forces the firewall to enter maintenance mode, requiring manual intervention to restore normal functionality.

"A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall," the advisory states. The flaw enables an unauthenticated attacker to reboot affected devices by sending specifically crafted malicious packets.

This issue impacts devices where the 'DNS Security' logging feature is enabled. The affected PAN-OS versions are listed below. According to Palo Alto Networks, customers have already reported outages caused by firewalls blocking malicious DNS packets exploited through this vulnerability. The flaw has been addressed in the following PAN-OS versions: 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and later releases. However, no patch will be released for PAN-OS 11.0 due to its end-of-life (EOL) status as of November 17.

Palo Alto Networks has also provided workarounds for customers unable to immediately apply updates:

Mitigation Steps for Unmanaged NGFWs or Those Managed by Panorama:
  • Navigate to: Objects → Security Profiles → Anti-spyware → DNS Policies → DNS Security for each Anti-spyware profile.
  • Change the Log Severity to "none" for all configured DNS Security categories.
  • Commit the changes, then revert the settings after applying the fixes.
For NGFWs Managed by Strata Cloud Manager (SCM):
  • Option 1: Disable DNS Security logging directly on each NGFW using the steps above.
  • Option 2: Open a support case to disable DNS Security logging across all NGFWs in the tenant.
For Prisma Access Managed by SCM:
  • Open a support case to disable DNS Security logging across all NGFWs in the tenant.
  • If needed, request an expedited Prisma Access tenant upgrade through the support case.
The company urges all users to apply the recommended updates or follow the workarounds to mitigate the risk of exploitation.
Read more »
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Four-Fait Routers VulnCheck Vulnerabilities and Exploits

Critical Security Issue Hits Four-Faith Routers

 


According to VulnCheck, a critical vulnerability identified as CVE-2024-12856 has been discovered in Four-Faith industrial routers, specifically affecting the F3x24 and F3x36 models, as well as users’ machines. Evidence suggests active exploitation of this vulnerability in the wild, raising significant security concerns for industrial and enterprise users. The flaw resides in the router’s system time adjustment function, where a post-authentication vulnerability allows attackers to execute remote commands on compromised devices.

Technical Details of the Vulnerability

The routers, running firmware version 2.0, are susceptible to an authenticated remote command execution flaw via the HTTP endpoint apply.cgi. Attackers can manipulate the system time parameter using POST requests, enabling arbitrary command execution. Additionally, the firmware is configured with default credentials that, if left unchanged, can escalate the vulnerability to allow unauthenticated remote OS command injection.

Data provided by VulnCheck indicates that approximately 15,000 internet-facing routers may be affected by this issue. Exploitation campaigns have been observed since at least November 2024, with attackers altering system parameters remotely. The attacks appear to originate from multiple IP addresses and utilize Mirai-like payloads to compromise the devices. VulnCheck notes that some payloads share similarities with those used to exploit a prior vulnerability (CVE-2019-12168), although the underlying components differ.

Security researchers have identified attack patterns involving two primary IP addresses, including 178.215.238.91, as sources of active exploitation campaigns. User-Agent strings from these attacks match earlier campaigns documented in November 2024, with new payload variations targeting the identified flaw. While the attacks remain low-scale, they demonstrate a high level of persistence.

Censys data corroborates VulnCheck’s findings, suggesting that the vulnerability has been exploited consistently since its initial observation. Despite this, an official from Bains, speaking to The Hacker News, emphasized that the attacks are not widespread and appear to involve a small number of attackers using spamming techniques at a low frequency.

Mitigation Recommendations

As of now, there is no confirmation regarding the availability of security patches for the affected firmware. VulnCheck disclosed the vulnerability to Four-Faith on December 20, 2024, and awaits a response. In the interim, researchers strongly advise users to take the following measures to mitigate potential risks:

  • Immediately change default credentials on affected devices.
  • Restrict network exposure by placing routers behind firewalls or VPNs.
  • Monitor device activity for unusual or unauthorized behavior.
  • Implement detection rules, such as the Suricata rule provided by VulnCheck, to identify suspicious HTTP POST requests indicative of the attack.

Impact and Implications

By exploiting this vulnerability, attackers can gain full control over affected devices, including executing reverse shell commands to maintain persistent access while concealing their identities. Such control poses a severe threat to organizations reliant on Four-Faith routers for critical operations.

The absence of immediate patches has prompted security researchers to highlight the importance of adopting proactive measures. Organizations are advised to strengthen their defenses against suspicious activity while awaiting updates from Four-Faith. VulnCheck, adhering to responsible disclosure policies, has withheld additional technical details and information about patches until a response from the manufacturer is received.

This incident underscores the critical need for robust firmware security practices, including eliminating default credentials and ensuring timely patch management, to protect against emerging threats in industrial environments.

Read more »
Vulnerabilities and Exploits
Botnet Cyberattacks CyberCrime Cybersecurity CyberThreat Cyberthreats DDOS Attacks IoT Vulnerabilities and Exploits

Understanding and Preventing Botnet Attacks: A Comprehensive Guide

 


Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.

Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.

Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.

The Lifecycle of a Botnet

Botnets are created through a structured process that typically involves five key steps:

  1. Infection: Malware spreads through phishing emails, infected downloads, or exploiting software vulnerabilities.
  2. Connection: Compromised devices connect to a command-and-control (C&C) server, allowing the botmaster to issue instructions.
  3. Assignment: Bots are tasked with specific activities like sending spam or launching DDoS attacks.
  4. Execution: Bots operate collectively to maximize the impact of their tasks.
  5. Reporting: Bots send updates back to the C&C server about their activities and outcomes.

These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.

Signs of a Compromised Device

Recognizing a compromised device is crucial. Look out for the following warning signs:

  • Lagging or overheating when the device is not in use.
  • Unexpected spikes in internet usage.
  • Unfamiliar or abnormal software behavior.

If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.

How to Protect Against Botnet Attacks

Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:

Secure Your Home Network

  • Set strong, unique passwords and change default router settings after installation.
  • Enable WPA3 encryption and hide your network’s SSID.

Protect IoT Devices

  • Choose products from companies that offer regular security updates.
  • Disable unnecessary features like remote access and replace default passwords.

Account Security

  • Create strong passwords using a password manager to manage credentials securely.
  • Enable multi-factor authentication (MFA) for an added layer of security.

Stay Updated

  • Keep all software and firmware updated to patch vulnerabilities.
  • Enable automatic updates whenever possible.

Be Wary of Phishing

  • Verify communications directly with the source before providing sensitive information.
  • Avoid clicking on links or downloading attachments from untrusted sources.

Use Antivirus Software

  • Install reputable antivirus programs like Norton, McAfee, or free options like Avast.

Turn Off Devices When Not in Use

  • Disconnect smart devices like TVs, printers, and home assistants to minimize risks.

Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.

Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.

Read more »
Vulnerabilities and Exploits
Business Security firewall exploits Security Patch SonicWall Vulnerabilities and Exploits

Thousands of SonicWall Devices Vulnerable to Critical Security Threats

 

Thousands of SonicWall network security devices are currently exposed to severe vulnerabilities, with over 20,000 running outdated firmware that no longer receives vendor support. This puts countless organizations at risk of unauthorized access and potential data breaches.

Key Findings of the Study

  • A Bishop Fox study identified more than 25,000 SonicWall SSLVPN devices exposed to the internet, making them easy targets for cybercriminals.
  • The research analyzed over 430,000 SonicWall devices globally and found that 39% of the exposed devices were running Series 7 firewalls, many of which lacked the latest security patches.
  • Over 20,000 devices were found to be running software versions no longer supported by SonicWall, with older Series 5 and Series 6 devices being the most at risk.

Impact of Vulnerabilities

The study highlighted that many of these devices remain susceptible to exploits, including authentication bypasses and heap overflow bugs disclosed earlier this year. Attackers could use these flaws to gain unauthorized access to networks, particularly when both SSL VPN and administration interfaces are exposed online.

Bishop Fox employed advanced fingerprinting techniques to reverse-engineer the encryption securing the SonicOSX firmware, allowing researchers to pinpoint the vulnerabilities specific to each device version.

Risks Posed by Unsupported Firmware

  • Many Series 5 devices, which are largely unsupported, continue to be exposed to the internet, leaving them highly vulnerable to attacks.
  • Series 6 devices, while better maintained, still include a significant number that have not applied the latest patches.
  • Approximately 28% of evaluated devices were found to have critical or high-severity vulnerabilities.

Recommendations for Companies

Organizations using SonicWall devices must take immediate steps to mitigate these risks:

  • Ensure all firmware is updated to the latest version to address known vulnerabilities.
  • Disable public exposure of SSL VPN and administration interfaces to reduce attack surfaces.
  • Regularly audit network security practices and implement robust patch management protocols.

The findings underscore the urgent need for companies to prioritize cybersecurity measures. Neglecting to update firmware and secure network devices can have severe consequences, leaving systems and sensitive data vulnerable to exploitation.

With threats growing increasingly sophisticated, staying proactive about network security is no longer optional—it’s essential.

Read more »
Vulnerabilities and Exploits
Cleo Server Data Leak File Transfer Tool Security Patch Vulnerabilities and Exploits

Active Exploitation of Cleo Communications' File Transfer Software Exposes Critical Vulnerabilities

 

Cleo Communications' file transfer software is under active attack, with security researchers from Huntress revealing that a recently issued patch fails to address the critical flaws being exploited. This ongoing vulnerability poses a significant threat to sectors relying on Cleo's software for logistics and supply chain operations.

The Vulnerabilities: Autorun Directory and CVE-2024-50623

Hackers are leveraging two key vulnerabilities in Cleo's software:

  • A feature that automatically executes files in the autorun directory.
  • An arbitrary file-write flaw identified as CVE-2024-50623.

On December 3, Huntress reported that Cleo's LexiCom, VLTransfer, and Harmony software solutions are affected by these issues. Despite the company issuing a patch on the same day, Huntress stated that it "does not mitigate the software flaw." This leaves users vulnerable until a new, effective patch is developed.

Cleo’s Response and Planned Mitigations

During a Zoom session with cybersecurity researchers, Cleo's team acknowledged the flaws and committed to designing a second patch. Earlier in the week, Cleo identified an unauthenticated malicious host vulnerability that could lead to remote code execution, although its CVE identifier is still pending.

In a statement, a Cleo spokesperson said the company had launched an investigation with the assistance of external cybersecurity experts. Cleo also informed customers about the issue and provided interim mitigation steps while working on a patch. The spokesperson emphasized that "the investigation is ongoing."

Recommendations for Cleo Users

Until an effective patch is released, Huntress has advised Cleo users to take immediate actions:

  • Erase items from the autorun directory to disrupt attack pathways.
  • Understand that this measure does not address the arbitrary file-write vulnerability, which remains exploitable.

Impacts on Businesses

The exploitation of Cleo's software has significant repercussions, particularly for industries dependent on large-scale logistics and supply chain operations. Researchers reported that:

  • At least 10 businesses have experienced breaches involving Cleo servers.
  • There was a "notable uptick in exploitation" on December 8 around 07:00 UTC.
  • Most incidents have targeted sectors such as consumer products, the food industry, and shipping.

A search on Shodan revealed 436 vulnerable servers, with the majority located in the United States. This underscores the scale of potential exposure and the urgent need for mitigation.

The Attack Chain: From Autorun to Persistent Access

Attackers exploit the autorun directory feature by inserting malicious files that execute automatically. These files allow them to:

  • Run PowerShell commands.
  • Establish persistent access using webshells retrieved from remote servers.

Examples of malicious autorun files include:

  • healthchecktemplate.txt
  • healthcheck.txt

Conclusion: Urgent Need for Robust Security Measures

The active exploitation of Cleo Communications' software highlights the evolving nature of cybersecurity threats and the critical importance of timely, effective patching. Businesses using Cleo's solutions must remain vigilant and implement recommended mitigations to minimize risk until a comprehensive fix is released.

This incident serves as a reminder for all organizations to prioritize cybersecurity, particularly in industries that handle sensitive data and depend on seamless file transfer operations.

Read more »
Vulnerabilities and Exploits
Cyber Bug Cyber Exploits Cyberattacks CyberCrime Cybersecurity MySQL database zero day vulnerability Vulnerabilities and Exploits

Exploit PoC Validates MiCollab Zero-Day Flaw Risks

 


A zero-day arbitrary file read vulnerability found in Mitel MiCollab has raised significant concerns about data security. Attackers can exploit this flaw and chain it with a critical bug (CVE-2024-35286) to access sensitive data stored on vulnerable instances of the platform. Mitel MiCollab is a cross-platform collaboration tool offering services such as instant messaging, SMS, voice and video calls, file sharing, and remote desktop sharing, designed to enhance workplace collaboration without verbal communication.

The Risks of Collaboration Platform Vulnerabilities

Data storage and handling of sensitive information are integral to modern organizations' operations. According to WatchTower researchers, the Mitel MiCollab platform has a zero-day vulnerability that allows attackers to perform arbitrary file reads. However, to exploit this issue, attackers require access to the server's filesystem. The vulnerability impacts a range of businesses, from large corporations to SMEs and remote or hybrid workforce setups, all relying on MiCollab for unified communication.

WatchTower reported the issue to Mitel on August 26, 2024, but after 90 days without a fix, the vulnerability remains unresolved. A report by WatchTower revealed that more than 16,000 MiCollab instances accessible via the internet are affected. Despite the lack of a CVE number assigned to the flaw, attackers can inject path traversals via the 'ReconcileWizard' servlet, exploiting the 'reportName' parameter in API requests. This facilitates unauthorized access to restricted files, posing a critical security threat.

Combining Vulnerabilities for Exploitation

The vulnerability gains heightened severity when paired with CVE-2024-35286 (CVSS score 9.8), a critical path traversal flaw that enables authentication bypass. Additionally, CVE-2024-41713, another zero-day issue identified by researchers, allows arbitrary file reading. Together, these flaws enable attackers to gain system visibility, perform malicious operations, and propagate file access across systems. Proof-of-concept (PoC) exploit code for this chain has been published by WatchTower on GitHub.

While the newer vulnerability is technically less critical than the others, it still poses a significant threat by granting unauthorized access to sensitive files. Recent incidents show that threat actors have targeted MiCollab, underlining the urgent need for mitigation measures. Organizations using MiCollab must act promptly to address this risk.

Mitigating the Threat

Until Mitel releases a patch for this zero-day flaw, organizations are advised to:

  1. Update MiCollab to the Latest Version
    Install version 9.8 service pack 2 (9.8.2.12) or later, which addresses other known vulnerabilities such as CVE-2024-41713.
  2. Restrict Server Access
    Limit access to trusted IP ranges and internal networks, and implement firewall rules to block unauthorized access.
  3. Monitor Log Files
    Check for path traversal patterns that might indicate exploitation attempts.
  4. Disable the Vulnerable Servlet
    If feasible, disable the 'ReconcileWizard' servlet to prevent exploitation of the flaw.

The Broader Impact

As security risks related to MiCollab persist, reports indicate that the collaboration platform has been targeted by a group of threat actors, allegedly linked to "Salt Typhoon," a Chinese intelligence operation. These attacks have affected US telecommunications firms, including Verizon, AT&T, and T-Mobile, exposing sensitive customer data.

Organizations must adopt robust security practices to mitigate risks while waiting for Mitel to address these vulnerabilities. Proactively safeguarding sensitive systems and implementing strict access controls are essential for minimizing exposure. By combining organizational vigilance with updated software practices, businesses can navigate these challenges and protect critical infrastructure from exploitation.

Read more »
Vulnerabilities and Exploits
Helldown Network Breach Ransomware Zyxel Vulnerabilities and Exploits

Helldown Ransomware Outfit Linkd to Zyxel's Firewall Exploits

 


Zyxel Firewalls have become a common target in recent hacks, with attackers exploiting a critical flaw to propagate the malicious Helldown ransomware. The German CERT (CERT-Bund) has published a warning alongside Zyxel, highlighting the scope of these assaults and the immediate steps that organisations must take to secure their network devices. 
 
The attacks are linked to a vulnerability in the Zyxel ZLD firmware, CVE-2024-11667, which impacts the Zyxel ATP and USG FLEX firewall series. Five German businesses are believed to have been targeted by these assaults, highlighting the growing threats of leaving such vulnerabilities unpatched. 
 
The root cause is CVE-2024-11667, a directory traversal vulnerability in the Zyxel ZLD firmware (versions 4.32 to 5.38). This vulnerability allows attackers to circumvent security protections and upload or download files using meticulously generated URLs. 
 
Cybercriminals can exploit this flaw to acquire unauthorised system access, steal credentials, and establish backdoor VPN connections, sometimes without network administrators' knowledge. The devices that are most vulnerable are those running ZLD firmware versions 4.32 to 5.38, with remote management or SSL VPN enabled. Importantly, this vulnerability does not affect devices managed by the Nebula cloud management system. 
 

Rise of Helldown Ransomware 

 
Helldown ransomware, first discovered in August 2024, has quickly grown into a serious threat that exploits CVE-2024-11667 to target susceptible Zyxel firewalls. Helldown, which evolved from the infamous LockBit ransomware builder, employs sophisticated techniques to breach networks and move laterally, often with the goal of encrypting valuable data and disrupting operations. 
 
Helldown's leak site currently lists 32 victims globally, including five organisations in Germany, according to CERT-Bund. The ransomware's ability to exploit this vulnerability is concerning because even patched systems may remain vulnerable if attackers get access using the same administrator credentials. 
 

Modus operandi 

 
The primary attack vector is the exploitation of the CVE-2024-11667 flaw to obtain initial access to the target systems. Once inside, hackers commonly employ sophisticated post-exploitation techniques, including the establishment of unauthorised user accounts like "SUPPORT87" and "SUPPOR817." 
 
These accounts are used to create persistent backdoors that permit access to the network even after the initial breach, hence facilitating lateral movement within the network. These attacks have serious consequences: companies have reported data exfiltration, critical documents being encrypted, and disruptions in operations, frequently with the intention of extorting a ransom to unlock the files. 
 
Researchers recommend that organisations that use Zyxel firewalls move swiftly to discover and resolve any threats by evaluating VPN logs, inspecting SecuReporter for suspicious behaviour, and monitoring firewall rules. The remediation process entails updating to ZLD 5.39, changing passwords, eliminating unauthorised accounts, and tightening security measures.   
 
Read more »
Zyxel firewalls
CVE-2024-42057 cybersecurity updates firmware upgrade Ransomware attack remote access security Vulnerabilities and Exploits Zyxel firewalls

Zyxel Firewalls Targeted by Ransomware Gang Exploiting Vulnerability

 

Zyxel has issued a warning about a ransomware group exploiting a recently patched command injection vulnerability, identified as CVE-2024-42057, in its firewall devices. This flaw enables attackers to gain initial access to compromised systems.

The vulnerability allows remote, unauthenticated attackers to execute operating system commands on affected devices, posing a significant security risk.

Zyxel clarified in its advisory that the exploitation is possible only if the firewall is set up with User-Based-PSK authentication and a valid user has a username exceeding 28 characters.

“A command injection vulnerability in the IPSec VPN feature of some firewall versions could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device,” the advisory states. “Note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.”

The company has addressed these vulnerabilities with the release of firmware version 5.39, applicable to the ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN series firewalls.

Zyxel’s EMEA team has observed active exploitation of these vulnerabilities, urging users to immediately update administrator and user account passwords as a precautionary measure.

“The Zyxel EMEA team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities. Since then, admin passwords have not been changed. Users are advised to update ALL administrators and ALL User accounts for optimal protection,” the company emphasized.

Their investigation revealed that attackers leveraged previously stolen credentials, which were not updated, to create unauthorized SSL VPN tunnels using accounts like "SUPPOR87" and "VPN," altering security policies to gain access to the network.

Sekoia, a cybersecurity firm, detailed how the Helldown ransomware group has exploited Zyxel firewalls to gain entry into targeted organizations, aligning with typical ransomware strategies.

“All of this evidence strongly suggests that Zyxel firewalls have been targeted by Helldown. Details about post-compromise activities indicate that, in at least one intrusion, the attacker’s tactics align with typical ransomware methods,” Zyxel noted.

Users are strongly advised to upgrade to the latest firmware and temporarily disable remote access to potentially vulnerable firewalls to mitigate risks effectively.
Read more »
Zero-day Flaw
Chinese Hacker FortiClient Vulnerabilities and Exploits Windows VPN Zero-day Flaw

Chinese Hackers Exploit Unpatched Fortinet Zero-Day Vulnerability

 

A Chinese state-sponsored actor abused an unpatched, unreported Fortinet vulnerability, despite the fact that the flaw was reported to the security firm in July. 

Volexity, a threat intelligence vendor, published research earlier this week referencing a new zero-day flaw -- one without a current CVE designation -- that allowed a Chinese state-sponsored actor known as "BrazenBamboo" to steal credentials in instances of Fortinet's Windows VPN client, FortiClient.

Perhaps most notably, Volexity stated that it disclosed the issue to Fortinet on July 18, with the latter acknowledging the report on July 24. "At the time of writing, this issue remains unresolved, and Volexity is not aware of an assigned CVE number," Volexity researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said in the blog post. 

Volexity's report lacks a description of the flaw itself. The researchers of the study identified a "zero-day credential disclosure flaw in Fortinet's Windows VPN client that allowed credentials to be stolen from the memory of the client's process." The blog also provides YARA rules, indicators of compromise, and an in-depth look at BrazenBamboo's "Deepdata" post-exploitation tool, which was employed in threat activity targeting the vulnerability. 

Roxan, Gardner, and Rascagneres said that their investigation began with the identification of an archive file associated with BrazenBamboo, which could be linked to a known Chinese advanced persistent threat (APT) group. The researchers uncovered files in the package related to Windows malware families known as "Deepdata" and "Deeppost," as well as a Windows form of LightSpy malware.

Deepdata, according to Volexity researchers, is a modular utility for Windows that "facilitates the collection of private data from a compromised system," and requires the perpetrator to have command-line access to the target device. It features both a loader and a virtual file system. Deeppost is a post-exploitation data exfiltration program that transfers files to a remote system. The researchers discovered the Fortinet zero day after uncovering a FortiClient plugin in Deepdata. 

"DEEPDATA supports a wide range of functionality to extract data from victims' systems. The observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems," researchers explained. "However, Volexity noted the FortiClient plugin was uncommon and investigated it further. Volexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client's process.”

The researchers further stated that "the FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory." Meanwhile, LightSpy is a command-and-control spyware that has previously been linked to campaigns targeting Hong Kong citizens. The malware is generally employed in attacks on Android, iOS, and macOS devices, so it's noteworthy that Volexity received files of a Windows edition.
Read more »
Vulnerabilities and Exploits
CISA Issues CyberCrime Cybersecurity Cyberthreats Palo Alto Threats Exploitations Vulnerabilities and Exploits

CISA Issues Alert on Ongoing Exploitation of Palo Alto Networks Bugs

 


A report released by the Cybersecurity and Infrastructure Security Agency, a nonprofit organization that monitors and analyzes threats to the nation's infrastructure, found that Palo Alto Networks' firewall management software was actively exploited in the wild on Thursday. These attacks followed last week's attacks that exploited flaws in similar software. Attackers can exploit the unauthenticated command injection vulnerability (CVE-2024-9463) and the SQL injection vulnerability (CVE-2024-9465) to gain access to unpatched systems running the company's Expedition migration tool. 

This tool allows users to migrate configurations from Checkpoint, Cisco, and other supported vendors to new systems. CVE-2024-9463 is a vulnerability that allows attackers to run arbitrary commands as root on a PAN-OS firewall system, revealing usernames, cleartext passwords, device configurations, and device API keys. Secondly, a second vulnerability can be exploited to gain access to Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems by exploiting this vulnerability. 

There is important information in CVE-2024-9474 that could lend itself to a chained attack scenario, potentially resulting in a high level of security breach. It should be noted that Palo Alto Networks has publicly acknowledged the CVE, but has not yet provided detailed technical information on the vulnerability's mechanics. This leaves room for speculation regarding what is causing the vulnerability.

A spokesperson for Palo Alto Networks (PAN) confirmed patches were available to address these security vulnerabilities, and stated the company is "monitoring a limited set of exploit activities" and is working with external researchers, business partners, and customers to share information in a timely fashion. It was reported to CISA that CVE-2024-5910 had been added to the KEV catalog on Nov. 7 but the software vendor had originally disclosed the bug back in July. 

To exploit this vulnerability, there needs to be authentication within the firewall deployment and management software. Without authentication, an administrator account can be taken over by getting access to the network. There is a CVSS score of 9.3 for the vulnerability, and it is also reported to Palo Alto Networks as PAN-SA-2024-0015, as well. As a result, Palo Alto Networks has continuously monitored and worked with customers to identify and minimize the very few PAN-OS devices that have management web interfaces that are exposed to the Internet or other untrusted networks," the company stated in a separate report describing indicators of compromise for attacks that are targeting the vulnerability. 

Although the company claims these zero-days are only impacting a "very small number" of firewalls, threat monitoring platform Shadowserver reported on Friday that it monitors more than 8,700 outside management interfaces for the PAN-OS operating system. A Palo Alto Networks security advisory from early October states, "Several vulnerabilities have been identified in Palo Alto Networks Expedition that allow unauthorized access to the Expedition database and the arbitrary files on the system, as well as the ability to write arbitrary files to temporary storage locations." 

In addition, the advisory stated that the firewall, Panorama, Prisma Access, and Cloud NGFW products are not affected by these vulnerabilities. Even though the two vulnerabilities have been added to CISA's Known Exploited Vulnerabilities Catalog, a binding operational directive (BOD 22-01) has compelled federal agencies to patch Palo Alto Networks Expedition servers on their networks within three weeks, by December 5, to comply with the binding directive. 

Earlier this week, CISA issued a warning about yet another Expedition security hole that is capable of allowing threat actors to reselect and reset the credentials for application administrators. The security flaw (CVE-2024-5910) was patched in July and has been actively exploited in attacks. In a proof-of-concept exploit released by Horizon3.ai researcher Zach Hanley last month, he demonstrated that CVE-2024-5910 can be chained with an additional command injection vulnerability (CVE-2024-9464), that was patched in October, to allow an attacker to execute arbitrary commands on vulnerable Expedition servers that are exposed to the Internet. 

It has been noted that CVE-2024-9464 is linked to other Expedition security vulnerabilities that were also addressed last month. This may allow firewall admins to take over unpatched PAN-OS firewalls if they have not yet been patched. As of now, there seems to be a hotfix available for those who are concerned about being exploited, and those who are concerned should upgrade their Expedition tool to version 1.2.96, or higher. 

It has been recommended by Palo Alto Networks that, those users who are unable to install the Expedition patch immediately, should restrict access to the Expedition network to approved hosts and networks. It is crucial to note that when a vulnerability is added to KEV, not only does it introduce the possibility of an attack that exploits that vulnerability, but also that federal agencies have a deadline to either patch it or stop utilizing the flawed solution entirely. 

There is usually a deadline for that, which is 21 days from the time the bug is added to the bug-tracking system. There has recently been an addition to KEV of CVE-2024-5910, a bug that is described as being missing for crooks who have access to networks. This is Palo Alto Networks Expedition, a tool designed to simplify and automate the complexity of using Palo Alto Networks' next-generation firewalls by optimizing security policies that apply to them. In addition to making it easier for users to migrate from legacy firewall configurations to Palo Alto Networks' security platforms, users can also minimize errors and manual efforts. 

The Palo Alto Networks (PAN) management interface has recently been redesigned to provide a more secure experience for users. A report claiming an unverified remote code execution vulnerability via the PAN-OS management interface prompted the company to release an information bulletin. Those interested in knowing more about hardening network devices are urged to review PCA's recommendations for hardening network devices, and PCA's instructions for gaining access to scan results for the Organization's internet-facing management interfaces are discouraged from following them.
Read more »
Vulnerabilities and Exploits
CyberCrime Cybersecurity CyberThreat Frag Ransomware Ransomware VBR Veeam RCE Bug Vulnerabilities and Exploits

Veeam RCE Bug Now a Target for Frag Ransomware Operators

 


Recently, a critical VBR (Veeam Backup & Replication) security flaw was exploited by cyber thieves to distribute Frag ransomware along with the Akira and Fog ransomware attacks. Florian Hauser, a security researcher with Code White, has discovered that the vulnerability (tracked as CVE-2024-40711) is a result of the deserialization of untrusted data weakness that unauthenticated threat actors can abuse to gain remote code execution (RCE) on Veeam VBR servers by exploiting. 

Despite releasing a technical analysis of CVE-2024-40711 on September 9, Watchtower Labs delayed the release of a proof-of-concept exploit until September 15 to allow admins to take advantage of the security updates that Veeam released on September 4 for this vulnerability. 

According to Sophos researchers, ransomware operators are leveraging a critical vulnerability in Veeam Backup & Replication called CVE-2024-40711 to create rogue accounts and deploy malware to users in order to execute their attacks. On early September 2024, Veeam released security updates for the Service Provider Console, Veeam Backup & Replication, and Veeam One products to address several vulnerabilities that could undermine the security of their products.

The company fixed 18 issues with high or critical severity for these products. This September's security bulletin contains a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 that affects Veeam Backup & Replication (VBR), which has a CVSS v3.1 score of 9.8 (CVSS score of 10.4). A software product developed by the Veeam software company called Veeam Backup & Replication offers a comprehensive solution for data protection and disaster recovery. With this technology, companies are able to back up, restore, and replicate data across physical, virtual, and cloud environments at the same time. 

There is a vulnerability in the Linux kernel that allows unauthenticated remote code execution (RCE)." as stated in the advisory. The vulnerabilities were discovered by Florian Hauser, a researcher at CODE WHITE Gmbh who specializes in cybersecurity. In addition to Veeam Backup & Replication 12.1.2.172, earlier versions of version 12 are also affected by this flaw.  According to the Sophos X-Ops incident response team, the delay in releasing an exploit did not have much effect on the number of Akira and Fog ransomware attacks that were prevented. 

By exploiting the RCE vulnerability along with stolen credentials from the VPN gateway, the attackers were able to register rogue accounts on unpatched servers and exploit the RCE flaw. There was also a threat activity cluster, which was known as 'STAC 5881,' that was later found to have used exploits from CVE-2024-40711 to download Frag ransomware onto compromised networks, as a result of attacks that exploited CVE-2024-40711. 

According to Sean Gallagher, a principal threat researcher at Sophos X-Ops, the tactics associated with STAC 5881 were used again, this time, however, they led to the deployment of the previously undocumented 'Frag' ransomware which is now being referred to as Black Drop. There is a possibility that the threat actor exploited a vulnerability in the VEEAM component to gain access to the system, created a new account named 'point', and accessed the system from that account. As a result of this incident, a second account has also been created, known as 'point2'. 

Anew report by British cybersecurity company Agger Labs revealed that the Frag ransomware gang has made extensive use of Living Off The Land binaries (LOLBins), a type of software that is already installed on compromised computers and which is commonly known as Living Off The Land software (LOLBins). Defendants have a hard time detecting their activity due to the fact that this is difficult to detect. According to the Frag gang's playbook, the playbook of Akira and Fog operators is somewhat similar, as they often exploit vulnerabilities in unpatched backup and storage software and misconfigurations in the solutions that they deploy. This vulnerability has a high severity and can allow malicious actors to breach backup infrastructure if not patched. Veeam patched another high severity vulnerability in March 2023, CVE-2023-27532. There has been extensive use of this exploit in attacks linked to the financially motivated FIN7 threat group and in Cuba ransomware attacks that targeted companies and institutions critical to the American economy. 

Over 500,000 consumers worldwide rely on Veeam's products, including approximately 74% of all companies from the Global 2,000 list. Veeam reports that its products are used by over 550,000 customers worldwide. Agger Labs, a cybersecurity firm, also noted that tactics, techniques, and practices used by the threat actors behind Frag share many similarities to those used by Akira and Fog threat actors in their tactics, techniques, and practices. 

The main reason why Frag ransomware can remain stealthy is that it uses LOLBins, an approach that has been widely adopted by more traditional actors in the cybercrime sphere. The attackers can now bypass endpoint detection systems by employing familiar, legitimate software already present on most networks to conduct malicious operations. The fact that ransomware crews are adapting their approaches to ransomware shows that they are changing their approach despite not being new to the threat actor space.” 

Agger Labs notes. Despite Frag's use of LOLBins, the function has been used by ransomware strains like Akira and Fog which also use similar techniques to blend in with normal network activity and hide from detection.". As a result of using LOLBins as a means of exploitation for malicious purposes, these operators make it harder for us to detect them timely.”
Read more »
Subscribe to: Posts (Atom)