Palo Alto Security Patch

Summary: Palo Alto Networks has addressed a critical security vulnerability, tracked as CVE-2024-3400, impacting the GlobalProtect feature in PAN-OS software that is actively being exploited. This vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The flaw is a case of command injection, and its severity is given a CVSS score of 10.0 – the maximum score. Cybersecurity researchers have already released proof-of-concept (PoC) exploits for this vulnerability, highlighting its potential impact on organizations. The affected versions include:

  • PAN-OS 10.2.9-h1
  • PAN-OS 11.0.4-h1
  • PAN-OS 11.1.2-h3

Additional patches expected for other maintenance releases.

Rapid7 emphasized that successful exploitation depends on a chain of two vulnerabilities, including one that hasn’t yet been assigned a CVE. Before achieving command injection, an attacker must be able to create arbitrary files. Organizations are urged to apply the available hotfixes promptly to mitigate the risk posed by this vulnerability.

Why it matters: Palo Alto Networks stands as one of the most widely used networking systems for enterprises. However, a critical vulnerability has emerged, allowing unauthenticated attackers to gain access to sensitive services and data within organizations relying on Palo Alto products. The severity of this flaw is underscored by its maximum CVSS score of 10.0. Even more concerning, threat actors are actively exploiting this vulnerability. As a result, it becomes imperative for enterprises to swiftly install the available fixes to safeguard their networks.


Binding Cookies to Devices with Google DBCS

Summary: Google has introduced a solution to enhance web security and safeguard user accounts. The new feature, called Device Bound Session Credentials (DBSC), aims to tackle the rising threat of cookie theft malware. Cookie theft malware is malware aimed at stealing user’s session cookies from their device.

To combat this critical issue, Google is pioneering DBSC. By binding authentication sessions to the user’s device, exfiltrated cookies lose their value, significantly reducing the success rate of cookie theft malware. Attackers will be forced to operate locally on the compromised device, which improves on-device detection and overall security. The project is being developed openly on GitHub with the aim of becoming an open web standard.

Why it matters: Cookies are small files created by websites we visit, and they play a crucial role in our online experience. They save browsing information, keep us signed in, and remember our preferences. However, their usefulness also makes them a prime target for cyber attackers. Cookie theft malware victimizes users across the web, granting unauthorized access to their accounts. The severity lies in the fact that this theft occurs after login, bypassing two-factor authentication and other security checks. Even after malware removal, stolen cookies remain functional, making it difficult to mitigate using traditional anti-virus software. Existing browsers currently lack effective protection against this type of attack. However, the new DBSC will make it significantly more difficult for attackers to be successful.

#StopRansomware: Akira Ransomware

Summary: Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably. As of January 1, 2024, the ransomware group has targeted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.

As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes. Akira operators are associated with Conti ransomware actors, which explains code similarities in both ransomware families. In July, the Arctic Wolf Labs Team reported that Akira shared code similarities with the Conti ransomware. However, they also noted that when Conti’s source code was leaked, different malicious actors used it to create or tweak their own ransomware code, which makes it even more challenging to trace back ransomware families to Conti operators.

Why it matters: For initial access, Akira ransomware’s operators have been targeting VPN services that lacked multi-factor authentication, mainly using known vulnerabilities in Cisco products (such as CVE-2020-3259 and CVE-2023-20269). Additionally, they were seen using remote desktop protocol (RDP), spear-phishing, and valid credentials to access victims’ environments. Like other ransomware groups, Akira exfiltrates victims’ data before encrypting it. Victims are instructed to contact the attackers via a Tor-based site and then told to pay a ransom in Bitcoin. Authorities encourage organizations to implement the recommendations in the Mitigations section of a CSA report to reduce the likelihood and impact of ransomware incidents.


Cisco Duo’s Multifactor Authentication Service Breached

Summary: A third-party provider that handles telephony for Cisco’s Duo multifactor authentication (MFA) service has been compromised by a social engineering cyberattack. Cisco Duo is a multi-factor authentication and Single Sign-On service used by corporations to provide secure access to internal networks and corporate applications. Affected users were sent a notice explaining that the company handling SMS and VOIP multifactor authentication messaging traffic for Cisco Duo was breached on April 1. The Cisco Data Privacy and Incident Response Team issued an alert on 15 April 2024, warning customers the provider it uses to send MFA messages via SMS and voice over internet protocol (VOIP) was breached. Cisco Duo did not identify the compromised telephony provider in its advisory.

The threat actors obtained employee credentials through a phishing attack, then used those credentials to gain access to the telephony provider’s systems. Once inside the service provider’s systems, the unauthorized user downloaded SMS logs for specific users within a certain timeframe, the company said. The intruder then downloaded SMS and VoIP MFA message logs associated with specific Duo accounts between March 1, 2024, and March 31, 2024.

Why it matters: Duo’s homepage reports that it serves 100,000 customers and handles over a billion authentications monthly, with over 10,000,000 downloads on Google Play. The provider confirmed that the threat actor did not access any contents of the messages or use their access to send messages to customers. However, the stolen message logs do contain data that could be used in targeted phishing attacks to gain access to sensitive information, such as corporate credentials. The data contained in these logs includes an employee’s:

  • Phone number
  • Carrier
  • Location data
  • Date
  • Time
  • Message type

When the impacted supplier discovered the breach, they invalidated the compromised credentials, analyzed activity logs, and notified Cisco accordingly. Additional security measures were also implemented to prevent similar incidents in the future. Cisco also warns customers impacted by this breach to be vigilant against potential SMS phishing or social engineering attacks using the stolen information.

Hackers Hijack Antivirus Updates to Drop GuptiMiner Malware

Summary: In a recent attack highlighting the evolving tactics of cybercriminals, North Korean hackers exploited a vulnerability in eScan antivirus software’s update mechanism. This allowed them to deliver the GuptiMiner malware disguised as a legitimate update. GuptiMiner is a sophisticated malware that plants backdoors on corporate networks, deploys cryptocurrency miners, and has the capability to manipulate DNS requests and extract payloads from images.

Why It Matters: This attack highlights the evolving tactics of cybercriminals who compromise trusted software updates to infiltrate corporate networks. GuptiMiner’s ability to evade detection, manipulate DNS, and deactivate security products poses serious risks. Organizations must remain vigilant, keep their security systems up-to-date, and implement robust security measures to defend against such sophisticated threats.

To prevent GuptiMiner infections, organizations should take the following steps:

  • Regularly Update Security Software: Ensure that antivirus and security software are up-to-date to protect against known threats.
  • Monitor Network Traffic: Keep an eye on DNS requests and unusual network activity. Implement intrusion detection systems (IDS) to detect suspicious behavior.
  • Implement Zero Trust Architecture: Assume that no device or user is inherently trustworthy. Restrict access based on the principle of least privilege.
  • Educate Employees: Train employees to recognize phishing emails and avoid downloading files or clicking on suspicious links.

Ivanti Patches and CVEs

Summary: Ivanti released new patches for CVE-2023-46805 and CVE-2024-21887 . The two CVEs were recently announced on January 10, 2024. The CVEs target the VPN components of Ivanti products:

  • CVE-2023-46805 – An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887 –  A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Partial patches are also now available for the recently released CVE-2024-21893 and CVE-2024-21888 which have had patches released but not for all versions of the affected systems.

  • CVE-2024-21888 – A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
  • CVE-2024-21893 – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Ivanti states that patches are available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3. The remaining supported versions are to be patched in a staggered schedule.

Why it matters: VPNs were created to ensure the security of the user. The presence of vulnerabilities in the products compromises the very purpose of their creation. The concerning part of all this is that the number of recent vulnerabilities not only compromises their products and but also the security of the customers. It is important for those affected to update all their products to the latest version or patch and to ensure that their usage remains secure.

Security Tip of the Month – Role-based Access Control (RBAC) Phishing Scam

Summary: This month, we’re diving into a foundational concept for robust network security: Network Segmentation. At Zyston, we see segmentation as a critical defense against cyber threats. Let’s explore what network segmentation entails and how it can fortify your organization’s security posture.

Network segmentation is a fundamental strategy that significantly enhances both the security and efficiency of computer networks. By dividing a network into smaller, isolated segments, businesses can bolster their defenses against cyber threats. Let’s delve into why network segmentation matters and how it benefits organizations.

Network segmentation plays a vital role in safeguarding sensitive data and preventing cyberattacks. Here are some key reasons why it matters:

  • Limiting Attack Spread: Segmentation prevents the lateral movement of threats within the network. For instance, if malware infects one segment, it won’t easily spread to other parts of the network. This containment minimizes the impact of breaches.
  • Protecting Your Weakest Links: Not all devices are created equal. Some, like medical devices or legacy systems, may have weaker security features. Network segmentation allows you to isolate these vulnerable points, preventing them from being exposed to harmful traffic that could compromise them.
  • Beyond Security: Efficiency Gains: Network segmentation isn’t just about defense; it can also improve network performance. By separating different types of traffic, you can ensure critical operations aren’t bogged down by non-essential activities. Imagine a hospital network – segmenting medical device traffic from visitor Wi-Fi ensures web browsing doesn’t impact critical medical equipment.
  • Compliance Made Simpler: Regulations often require organizations to protect specific types of data. Network segmentation helps by limiting the number of systems subject to compliance. This reduces audit complexity and potentially lowers compliance costs.

Why it matters:  In conclusion, don’t leave your network vulnerable. Network segmentation is more than just a best practice; it’s a cornerstone of a strong cybersecurity posture. By implementing effective segmentation strategies, organizations can gain a multi-pronged benefit: enhanced security by containing threats, improved operational efficiency through optimized network performance, and reduced compliance overhead by simplifying the scope of regulations.