PAN-OS Command Injection Vulnerability Exploited in the Wild

On April 12, 2024, Palo Alto Networks released a report regarding the CVE-2024-3400 – a critical vulnerability in their PAN-OS. This operating system is a basis for the company’s firewall solutions, which is in turn a rather popular option for network protection among companies around the world. By exploiting the flaw, adversaries get the ability to execute arbitrary code with maximum (root) privileges. This explains the extremely high CVSS score, as well as the fact that cybersecurity is set abuzz about it.

The worst part about this flaw is that it is already exploited in real-world attacks. Palo Alto Networks do not mention any specific attack cases, but the fact that the vendor confirms this makes the fact hardly doubtful. The company also specifies that for the successful exploitation, the affected PAN-OS instance should have two things configured: device telemetry feature and the GlobalProtect gateway.

Arbitrary code execution vulnerabilities may be used for both gaining initial access and performing lateral movement. In the case of its residence in the firewall software, the result may lead to misconfiguration of the network protection or its complete disabling. The former is most probable though, as it allows for creating a stealth communication channel(s) with the infected environment.

Affected Versions and Patches

Palo Alto Networks confirms the vulnerability being present in the grand total of 3 PAN-OS versions – 10.2, 11.0 and 11.1. Earlier versions, as well as some of the auxiliary software used together with the firewall are not affected. Problem is – there are no patches available for the flawed versions at the moment.

The company promises to release corresponding fixes for all the vulnerable versions on April 14, 2024. They also offer the possible mitigation of the issue, through disabling the device telemetry feature. This will diminish the potential impact of a successful exploitation. For the subscribers of their Threat Prevention service, the company provides the ability to block the potential exploitation cases.

Protecting Against Vulnerability Exploitation

Any software may contain vulnerabilities, and even the top-notched solutions from worldwide known vendors are not an exclusion. There are no soothsayers among us, so predicting which program will have a vulnerability is rather difficult. For that reason, reactive measures are the best possible way to avoid the attacks that use vulnerability exploitation.

Stay in touch with the latest security news. Whenever a flaw in widely used software becomes public, it hits the titles of all cybersecurity newsletters. Thing is – the vast majority of vulnerability exploitation happens after the information about it becomes public. Rapid reaction to the new discovery and patching the flaw as the instruction says will most definitely secure your environment.

The post Critical PAN-OS Command Injection Flaw Exploited appeared first on Gridinsoft Blog.

The South African hack group Automated Libra is looking for new approaches to use the resources of cloud platforms for cryptocurrency mining: hackers bypass CAPTCHA on GitHub.

Let me remind you that we also wrote that Hackers force users to solve CAPTCHA, and also that New hCaptcha bypass method may not affect Cloudflare’s security.

According to Palo Alto Networks, in recent times, attackers are using a new system to solve CAPTCHAs, abusing CPU resources more aggressively for mining, and also mixing freejacking with Play and Run techniques.

For the first time, Automated Libra operations were discovered by Sysdig analysts last fall. Then the researchers gave a name to the found malware cluster PurpleUrchin and suggested that this group specializes in freejacking, that is, they abuse free or time-limited access to various services (GitHub, Heroku and Buddy) to mine cryptocurrency at their expense.

Now Palo Alto Networks experts have studied the activity of this group in more detail, analyzing more than 250 GB of collected data and collecting more information about the infrastructure and methods of attackers.

According to experts, the automated campaigns of these attackers are abusing CI/CD services, including GitHub, Heroku, Buddy, and Togglebox, to create new accounts and run cryptocurrency miners in containers. But if Sysdig analysts only identified 3,200 malicious accounts belonging to PurpleUrchin, then Palo Alto Networks reports that since August 2019, hackers have created and used more than 130,000 accounts on the mentioned platforms.

In addition, it turned out that the attackers used containers not only for mining itself, but also for trading the mined cryptocurrency on various platforms, including ExchangeMarket, crex24, Luno and CRATEX.

At the same time, the researchers confirm that freejacking is an important aspect of Automated Libra operations, but write that Play and Run tactics are also of great importance. This term usually refers to attackers who use paid resources to make a profit (in this case, using cryptocurrency mining), but refuse to pay bills until their accounts are frozen. Once locked out, they drop the accounts and create new ones.

As a rule, Automated Libra uses stolen personal data and bank card information to create premium accounts on VPS and CSP platforms, leaving a trail of unpaid debts.

In such cases, attackers use as many server resources as possible before losing access. This is in stark contrast to the freejacking tactic, where the miner tries to remain invisible and uses only a tiny fraction of the server’s capacity.

In addition, according to experts, an interesting feature of the Automated Libra attacks is the CAPTCHA solution system, which helps hackers create many accounts on GitHub automatically. To do this, the attackers use ImageMagic and convert the CAPTCHA images to their RGB equivalents and then use “identify” to determine the asymmetry of the red channel.

The values obtained in this way are used to rank the images in ascending order, and the automated tool selects the image that leads the resulting list. Usually, that is exactly what is correct.

The post Hackers Bypass CAPTCHA on GitHub to Automate Account Creation appeared first on Gridinsoft Blog.

Let me remind you that we reported that New Cuba Ransomware Variant Involves Double-Extortion Scheme.

In their report, the researchers talk about the hack group Tropical Scorpius, which, apparently, is a “partner” of the Cuba ransomware. Let me remind you that this ransomware has been known to security specialists since 2019. He was most active at the end of 2021, when he was linked to attacks on 60 organizations in five critical infrastructure sectors (including financial and public sector, healthcare, manufacturing and IT), as a result of which hackers received at least $ 43.9 million in the form of ransoms.

The last notable Cuba update was recorded in the first quarter of 2022, when malware operators switched to an updated version of the ransomware with finer settings and added quTox support to communicate with their victims.

As Palo Alto Networks analysts now say, the aforementioned Tropical Scorpius group uses a standard Cuba payload that hasn’t changed much since 2019. One of the few updates in 2022 involves the use of a legitimate but invalid Nvidia certificate (previously stolen from the company by Lapsus$ hackers) to sign the kernel driver, which is used in the initial stages of infection. The task of this driver is to detect processes belonging to security products and kill them to help attackers avoid detection.

Tropical Scorpius uses a local privilege escalation tool based on an exploit for CVE-2022-24521, which was patched in April 2022.

The next attack phase of Tropical Scorpius involves loading ADFind and Net Scan to perform a lateral movement. Along with this, the attackers deploy a tool on the victim’s network that helps them obtain cached Kerberos credentials. Also, hackers can use the tool to exploit the notorious Zerologon vulnerability (CVE-2020-1472) to obtain domain administrator privileges.

At the end of the attack, Tropical Scorpius operators finally deploy ROMCOM RAT malware on the victim network, which communicates with command and control servers through ICMP requests performed through Windows API functions.

ROMCOM RAT supports ten main commands:

1. get information about the connected disk;
2. get lists of files for the specified directory;
3. run the reverse shell svchelper.exe in the %ProgramData% folder;
4. upload data to the management server as a ZIP file using IShellDispatch to copy files;
5. download data and write to worker.txt in the %ProgramData% folder;
6. delete the specified file;
7. delete the specified directory;
8. create a process with PID spoofing;
9. process only the ServiceMain received from the control server and “sleep” for 120,000 ms;
10. traverse running processes and collect their IDs.

Experts note that Tropical Scorpius hackers compiled the latest version of ROMCOM and uploaded it to VirusTotal on June 20, 2022. This version contains ten additional commands, giving attackers more control over executing and downloading files and terminating processes.

In addition, the new version supports receiving additional payloads from the C&C server, such as the Screenshooter screenshot tool.

The researchers conclude that with the emergence of Tropical Scorpius, the Cuba ransomware is turning into a more serious threat, although in general this ransomware cannot boast of a large number of victims.

The post Cuba Ransomware Operators Use Previously Unknown ROMCOM RAT appeared first on Gridinsoft Blog.

The patch can be used to escape the container and escalate privileges, allowing an attacker to take control of the underlying host.

Let me remind you that in December last year, shortly after cybersecurity researchers alarmed about problems in Apache Log4j, Amazon released emergency patches that fix bugs in various environments, including servers, Kubernetes, Elastic Container Service (ECS) and Fargate. The purpose of hotpatches was to quickly fix vulnerabilities while system administrators transited their applications and services to a secure version of Log4j.

Let me also remind you that soon after the discovery of vulnerabilities, real attacks on the Log4Shell were recorded. Moreover, the experts also found out that the Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions.

However, as Palo Alto Networks has now found out, the patches were not very successful and could, among other things, lead to the capture of other containers and client applications on the host.

The experts showed a video demonstrating an attack on the supply chain with the malicious container image and usage of an earlier patch. Similarly, compromised containers can be used to “escape” and take over the underlying host. Palo Alto Networks decided not to share details about this exploit yet, so that attackers could not use it.

In the next step, elevated privileges could be used by a malicious java process to escape the container and take full control of the compromised server.

Users are advised to update to the corrected version of the hotpatch as soon as possible in order to prevent exploitation of related bugs.

The post Amazon Patch for Log4Shell allowed privilege escalation appeared first on Gridinsoft Blog.

By 2025, next-generation technologies such as ubiquitous connectivity, artificial intelligence, quantum computing or new approaches to identity and access management could overwhelm the defences and lead to a global cyber pandemic, experts at the World Economic Forum’s Cybersecurity Centre predict.

The World Economic Forum’s Centre for Cybersecurity has created a community of security and technology leaders to identify future global risks from next-generation technology in order to avert a cyber pandemic.

In this regard, the WEF, together with the Oxford Martin School at the University of Oxford, launched an initiative called Future Series: Cybercrime 2025, the main goal of which is to identify the approaches required to manage cyber risks associated with major technology trends.

More than 150 global cybersecurity experts from information security companies, research institutions and other organizations, including Palo Alto Networks, Mastercard, KPMG, Europol, ENISA and NIST, are involved in the program.

There is already a global capacity gap in cybersecurity (professionals and all personnel), and as new technologies emerge, the cybersecurity skills gap will widen.

Among the recommended approaches, the WEF lists reducing the global capacity gap in cybersecurity, creating a workforce, and moving away from fragmented approaches to cybersecurity that lead to interdependencies and confusion of policies and technologies.

If you want to be afraid the future even more, read our post: Apocalypse Now: experts presented a new type of cyber-biological attack.

The post WEF warned of impending cyber pandemic appeared first on Gridinsoft Blog.

A new Linux-based cryptocurrency mining botnet exploits PostgreSQL’s Remote Code Execution (RCE) vulnerability, which compromises cryptojacking database servers.

Cryptojacking (or simply malicious coin mining) is a common way for malware authors to monetize their operations.

Palo Alto Networks has named the new cryptocurrency mining botnet “PGMiner” after its delivery channel and mining mode.

The PgMiner botnet operates according to a well-known and well-established by criminals scheme: it randomly selects a range of IP addresses (for example, 18.xxx.xxx.xxx) and then enumerates all parts of this range looking for systems with an open port 5432 (PostgreSQL).

PostgreSQL is one of the most commonly used open-source relational database management systems (DBMS) for production environments. According to DB-Engines, PostgreSQL is ranked fourth among all database management systems (DBMS) as of November 2020.

If the botnet detects an active PostgreSQL system, it moves from the scanning phase to a brute-force attack, during which it tries a long list of passwords in an attempt to guess the login and password of the default PostgreSQL account (postgres).

If the database owner forgot to disable this account or did not change the password, hackers gain access to the database and then use the COPY from PROGRAM function (CVE-2019-9193 was associated with it, though many in the PostgreSQL community refused to recognize as a bug) to expand access and reach the server and its OS. Having established control over the infected system, the PgMiner operators deploy a miner on the infected server for mining the Monero cryptocurrency.

According to the researchers, the botnet is currently able to install miners only on Linux MIPS, ARM and x64 platforms.

Experts also mention that the PgMiner control server, from which hackers control infected bots, is hosted in Tor, and the botnet’s codebase resembles another similar malware – SystemdMiner.

Let me remind you that hackers cracked European supercomputers and forced them to mine cryptocurrency.

The post PgMiner botnet attacks poorly protected PostgreSQL DBs appeared first on Gridinsoft Blog.

PAN-OS is an operating system running on firewalls and corporate VPN devices, manufactured by Palo Alto Networks.

The cause for concern is really serious: the CVE-2020-2021 vulnerability is one of those rare errors that get 10 out of 10 points on the CVSSv3 vulnerability rating scale. Such score means that the vulnerability is easy to use, its operation does not require serious technical knowledge, and it can also be used remotely via the Internet, and attackers may not have any “fulcrum” on the target device.

“From a technical point of view, the vulnerability is an authentication bypass and allows an outsider to gain access to the device without providing credentials. After successfully exploiting the problem, the attacker can change the PAN-OS settings. In essence, this can be used to disable access control policies in the company’s firewalls and VPN solutions, after which the devices will become practically useless”, — said USCYBERCOM representatives.

I also note that Trump declared a state of emergency due to cyberattacks on US energy systems.

Palo Alto Networks specialists have already prepared their own security bulletin, which says that for the successful operation of the problem a number of conditions must be met.

In particular, PAN-OS devices must have a specific configuration so that the error can be used. So, the option Validate Identity Provider Certificate should be disabled, and SAML (Security Assertion Markup Language) on the contrary enabled.

Devices that can be configured this way are vulnerable to attack. These include:

• GlobalProtect Gateway;
• GlobalProtect Portal;
• GlobalProtect Clientless VPN;
• Authentication and Captive Portal;
• PAN-OS firewalls (PA and VM series) and Panorama web interfaces;
• Prisma Access Systems.

Fortunately, by default, the above settings are set to other values. However, CERT/CC expert Will Dorman warns that when using third-party identity providers in many PAN-OS operator guides, it is recommended to stay attached to this configuration. For example, when using Duo authentication or third-party solutions from Centrify, Trusona and Okta.

“As a result, despite the fact that at first glance the vulnerability does not look too dangerous and requires certain conditions to be met, in fact, many devices are configured exactly as described above, especially due to the widespread use of Duo in the corporate and public sectors”, – told in Palo Alto Networks.

According to Troy Mursch, co-founder of Bad Packets, the current number of vulnerable systems is approximately 4,200.

“Of the 58,521 Palo Alto public servers (PAN-OS) scanned by Bad Packets, only 4,291 hosts use some kind of SAML authentication”, — write the expert.

He also clarifies that the scan conducted by his company helped determine whether authentication with SAML is enabled, but in this way you cannot find out the status of the Validate Identity Provider Certificate.

Currently, information security experts are urging all owners of PAN-OS devices to immediately check the configurations of their devices and install patches released by Palo Alto Networks as soon as possible.

Let me remind you that according to the report of Radware company specialists, government hackers attacked more often in 2019-2020.

The post US cyber command warned about dangerous vulnerability in PAN-OS appeared first on Gridinsoft Blog.

The Hoaxcalls botnet is built on the source code of the Gafgyt/Bashlite malware and is mainly used for DDoS attacks.

“The malware is built on the Gafgyt/Bashlite malware family codebase, which we have dubbed “Hoaxcalls”, based on the name of the IRC channel used for command and control (C2) communications, and is capable of launching a variety of DDoS attacks based on the C2 commands received.”, — write Palo Alto Networks researchers.

The issue in question has the identifier CVE-2020-5722 and is rated as critical (9.8 points on the CVSS vulnerability rating scale). The vulnerability is related to the HTTP interface in devices of IP-PBX Grandstream.

Tenable experts who discovered this bug described it as an unauthenticated remote SQL injection.

“The vulnerability can be exploited using a specially crafted HTTP request, which will eventually allow an attacker to execute shell commands with root privileges (versions prior to 1.0.19.20) or inject HTML code into emails to recover passwords (versions prior to 1.0.20.17 )”, — said Tenable researchers.

The root of the problem is that forgotten password function in the UCM6200 web interface accepts the username as input and looks for it in the SQLite database. By substituting a certain line of code for username, the attacker can perform SQL injection to create a reverse shell for remote code execution or add arbitrary HTML code to the password recovery email that will be sent to the user.

According to Palo Alto Networks experts, for more than a week the Hoaxcalls botnet has been actively exploiting this vulnerability, and then it uses infected devices for DDoS attacks. The botnet also attacks Draytek Vigor routers, infecting them through another critical vulnerability (CVE-2020-8515).

“Vulnerabilities CVE-2020-8515 and CVE-2020-5722 are both rated as critical, in particular because of their ease of operation. After using [these vulnerabilities], an attacker could execute arbitrary commands on the device. It is not surprising that hackers expanded their arsenals with these exploits and began to wreak havoc on the IoT sphere,” – say the experts.

Recall that the criminal colleagues of Hoaxcalls users – Lemon Duck malware operators also attack IoT-devices.

The post Hoaxcalls botnet attacks Grandstream devices appeared first on Gridinsoft Blog.