Search the Community

For weeks now, unidentified threat actors have been leveraging a critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software, running arbitrary code on vulnerable firewalls, with root privilege. Multiple security researchers have flagged the campaign, including Palo Alto Networks’ own Unit 42, noting a single threat actor group has been abusing a vulnerability called command injection, since at least March 26 2024. This vulnerability is now tracked as CVE-2024-3400, and carries a maximum severity score (10.0). The campaign, dubbed MidnightEclipse, targeted PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled, since these are the only vulnerable endpoints. Highly capable threat actor The attackers have been using the vulnerability to drop a Python-based backdoor on the firewall which Volexity, a separate threat actor that observed the campaign in the wild, dubbed UPSTYLE. While the motives behind the campaign are subject to speculation, the researchers believe the endgame here is to extract sensitive data. The researchers don’t know exactly how many victims there are, nor who the attackers primarily target. The threat actors have been given the moniker UTA0218 for now. "The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," the researchers said. "UTA0218's initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users' DPAPI keys." In its writeup, The Hacker News reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a deadline of April 19 to apply the patch and otherwise mitigate the threat. "Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities," Volexity said. "It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks." More from TechRadar Pro North Korean hackers are posing as job interviewers - don't be fooledHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Written by: Maddie Stone, Jared Semrau, James Sadowski Combined data from Google’s Threat Analysis Group (TAG) and Mandiant shows 97 zero-day vulnerabilities were exploited in 2023; a big increase over the 62 zero-day vulnerabilities identified in 2022, but still less than 2021's peak of 106 zero-days. This finding comes from the first-ever joint zero-day report by TAG and Mandiant. The report highlights 2023 zero-day trends, with focus on two main categories of vulnerabilities. The first is end user platforms and products such as mobile devices, operating systems, browsers, and other applications. The second is enterprise-focused technologies such as security software and appliances. Key zero-day findings from the report include: Vendors' security investments are working, making certain attacks harder. Attacks increasingly target third-party components, affecting multiple products. Enterprise targeting is rising, with more focus on security software and appliances. Commercial surveillance vendors lead browser and mobile device exploits. People’s Republic of China (PRC) remains the top state-backed exploiter of zero-days. Financially-motivated attacks proportionally decreased. Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don’t expect this activity to decrease anytime soon. Progress is being made on all fronts, but zero-day vulnerabilities remain a major threat. A Look Back — 2023 Zero-Day Activity at a Glance Barracuda ESG: CVE-2023-2868 Barracuda disclosed in May 2023 that a zero-day vulnerability (CVE-2023-2868) in their Email Security Gateway (ESG) had been actively exploited since as early as October 2022. Mandiant investigated and determined that UNC4841, a suspected Chinese cyber espionage actor, was conducting attacks across multiple regions and sectors as part of an espionage campaign in support of the PRC. Mandiant released a blog post with findings from the initial investigation, a follow-up post with more details as the investigation continued, and a hardening guide. Barracuda also released a detailed advisory with recommendations. VMware ESXi: CVE-2023-20867 Mandiant discovered that UNC3886, a Chinese cyber espionage group, had been exploiting a VMware zero-day vulnerability (CVE-2023-20867) in a continued effort to evade security solutions and remain undiscovered. The investigation shined a big light on UNC3886's deep understanding and technical knowledge of ESXi, vCenter and VMware’s virtualization platform. Mandiant released a blog post detailing UNC3886 activity involving exploitation of this zero-day vulnerability, and also detection, containment and hardening opportunities to better defend against the threat. VMware also released an advisory with recommendations. MOVEit Transfer: CVE-2023-34362 Mandiant observed a critical zero-day vulnerability in Progress Software's MOVEit Transfer file transfer software (CVE-2023-34362) being actively exploited for data theft since as early as May 27, 2023. Mandiant initially attributed the activity to UNC4857, which was later merged into FIN11 based on targeting, infrastructure, certificate and data leak site overlaps. Mandiant released a blog post with details on the activity, as well as a containment and hardening guide to help protect against the threat. Progress released an advisory with details and recommendations. Takeaways Zero-day exploitation has the potential to be high impact and widespread, as evidenced by the three examples shared in this post. Vendors must continue investing in security to reduce risk for their users and customers, and organizations across all industry verticals must remain vigilant. Zero-day attacks that get through defenses can result in significant financial losses, reputational damage, data theft, and more. While zero-day threats are difficult to defend against, a defense in depth approach to security can help reduce potential impact. Organizations should focus on sound security principles such as vulnerability management, network segmentation, least privilege, and attack surface reduction. Additionally, defenders should conduct proactive threat hunting, and follow guidance and recommendations provided by security organizations. Read the report now to learn more about the zero-day landscape in 2023. View the full article

Hackers are exploiting a zero-day vulnerability in Windows Defender SmartScreen to infect crypto traders with malware. Researchers from Trend Micro revealed a threat actor going by Water Hydra (AKA DarkCasino) abused the zero-day, now tracked as CVE-2024-21412, in attacks conducted on New Year’s Eve 2023. Microsoft has since released a patch, and in a follow-up advisory, explained that an unauthenticated attacker “could send the targeted user a specially crafted file that is designed to bypass displayed security checks." Spearphishing on Telegram Microsoft further explained that the attack still relies on victim action: "However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link." Trend Micro claims Water Hydra was joining Telegram channels and forums for forex, stock, and crypto traders, and used spearphishing techniques to get people to install the DarkMe malware. The group shared a stock chart that linked to fxbulls[.]ru, a compromised Russian trading information site that, in fact, impersonates fxbulls[.]com, a forex broker platform. DarkMe, while dangerous on its own, was just a step towards the final goal, which was to deploy ransomware, the researchers claim. "In late December 2023, we began tracking a campaign by the Water Hydra group that contained similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components," Trend Micro explained. "We concluded that calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source." The crypto industry has always been a popular target for cybercriminals. However, with bitcoin exchange-traded funds (ETF) finally approved, and the Bitcoin halving just two months away, the crypto industry is poised for yet another eye-watering bull run. This, as was the case in the past, will also attract more criminals. Via BleepingComputer More from TechRadar Pro This nasty Windows 10 zero-day vulnerability finally has an unofficial fixHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

After reading the technical details about this zero-day that targeted governmental entities and a think tank in Europe and learning about the Winter Vivern threat actor, get tips on mitigating this cybersecurity attack.View the full article

Zero-day exploits use unknown vulnerabilities to infiltrate PCs, networks, mobile phones and IoT devices. For unprepared security teams, these exploits bring financial consequences and long-term risks.View the full article

The vulnerabilities, one of which was rated critical and one of which was rated highly severe, affect Cisco IOS XE software.View the full article

The number of devices exposing the web UI on the internet, a timeline and technical details about this malicious activity, and tips for mitigating this zero-day threat are featured.View the full article

A vulnerability in the HTTP/2 network protocol is currently being exploited, resulting in the largest DDoS attack in history. Find out what security teams should do now, and hear what Cloudflare's CEO has to say about this DDoS.View the full article