#ThreatResearch #ThreatIntel The German CERT has issued a critical warning regarding the exploitation of two vulnerabilities in Palo Alto Networks’ PAN-OS, urging immediate patching to prevent unauthorized access and command execution. These vulnerabilities, CVE-2024-0012 and CVE-2024-9474, pose significant risks to organizations worldwide. The urgency for remediation is heightened as active attacks are already underway. #PaloAlto #VulnerabilityAlert #OperationLunarPeek https://ift.tt/GFnlud6 Keypoints: • German CERT warns of active exploitation of vulnerabilities in PAN-OS. • CVE-2024-0012 allows unauthenticated access to management interfaces. • CVE-2024-9474 enables privilege escalation for authenticated users. • Both vulnerabilities can be chained for remote command execution. • Palo Alto Networks has released patches for affected versions. • Organizations are urged to secure management interfaces and monitor for suspicious activity. • Active exploitation observed under the banner “Operation Lunar Peek.” • Detection rules for webshells and abnormal activities are recommended. MITRE TTP: • Exploitation for Client Execution (T1203): Exploits vulnerabilities in software to execute arbitrary code. • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems. • Privilege Escalation (T1068): Exploits vulnerabilities to gain elevated access to resources. • Remote File Copy (T1105): Transfers files from a remote location to a compromised system. IOC: • [IP Address] 41.215.28[.]241 • [IP Address] 45.32.110[.]123 • [IP Address] 103.112.106[.]17 • [IP Address] 104.28.240[.]123 • [IP Address] 182.78.17[.]137 • [IP Address] 216.73.160[.]186 • [IP Address] 91.208.197[.]167 • [IP Address] 104.28.208[.]123 • [IP Address] 136.144.17[.]146 • [IP Address] 136.144.17[.]149 • [IP Address] 136.144.17[.]154 • [IP Address] 136.144.17[.]158 • [IP Address] 136.144.17[.]161 • [IP Address] 136.144.17[.]164 • [IP Address] 136.144.17[.]166 • [IP Address] 136.144.17[.]167 • [IP Address] 136.144.17[.]170 • [IP Address] 136.144.17[.]176 • [IP Address] 136.144.17[.]177 • [IP Address] 136.144.17[.]178 • [IP Address] 136.144.17[.]180 • [IP Address] 173.239.218[.]248 • [IP Address] 173.239.218[.]251 • [IP Address] 209.200.246[.]173 • [IP Address] 209.200.246[.]184 • [IP Address] 216.73.162[.]69 • [IP Address] 216.73.162[.]71 • [IP Address] 216.73.162[.]73 • [IP Address] 216.73.162[.]74 • [File Hash] 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668
Hendry Adrian’s Post
More Relevant Posts
-
Director of Strategic Accounts | MCWT AB Member | Female IT Professional | Fun Aunt | Dog Mom
“Our goal is to eliminate Patch Tuesdays. Essentially you’re always staying ahead of your threats and your vulnerabilities by leveraging Tanium’s Autonomous Endpoint Management to do that.” - #Tanium CEO Dan Streetman More on how #TaniumAEMI is helping cut the risks of breaches with patch management.
-
July's Security Landscape blog from Martin Beauchamp looks at cryptographic and software bills of materials, GSMA’s Mobile Threat Intelligence Framework and physical #security threats to critical infrastructure 🔊 Read now 👇 #MobileSecurity #NetworkSecurity
Mobile Telecom Security Landscape Blog: July 24 - Security
https://www.gsma.com/solutions-and-impact/technologies/security
-
Palo Alto Networks warns of 6 security vulnerabilities in Expedition Palo Alto Networks has issued a warning to its customers regarding six security vulnerabilities found in its Expedition solution. These vulnerabilities, if exploited, can allow attackers to hijack PAN-firewalls and access sensitive data, including user credentials and device configurations. The flaws include command injection, reflected cross-site scripting, cleartext storage of sensitive information, missing authentication, and injection vulnerabilities. Horizon3.ai vulnerability researcher Zach Hanley discovered and reported four of the bugs, along with a proof-of-concept exploit that chains two vulnerabilities to gain arbitrary command execution on vulnerable Expedition servers. Palo Alto Networks has released fixes for all listed issues in Expedition 1.2.96 and later versions, urging users to upgrade and rotate all usernames, passwords, and keys. Admins who are unable to deploy the security updates immediately are advised to restrict Expedition network access to authorized users, hosts, or networks. Despite the severity of the vulnerabilities, there is currently no evidence of exploitation in attacks.
-
-
Driving Growth through Direct Sales Expertise -- Creative, Driven, & Passionate Thought Leader -- Investing Member @ Portfolia - First Step, FemTech, Rising America I & II, Sustainability, Aging and Longevity
“Our goal is to eliminate Patch Tuesdays. Essentially you’re always staying ahead of your threats and your vulnerabilities by leveraging Tanium’s Autonomous Endpoint Management to do that.” - #Tanium CEO Dan Streetman More on how #TaniumAEMI is helping cut the risks of breaches with patch management.
VentureBeat | How AI is helping cut the risks of breaches with patch management
https://venturebeat.com
-
Information Technology Security Specialist| FCNS | ISO 27001 Implementer | Threat Hunter
Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) Palo Alto Networks has released workaround guidance for a command injection vulnerability (CVE-2024-3400) affecting PAN-OS versions 10.2, 11.0, and 11.1. Palo Alto Networks has reported active exploitation of this vulnerability in the wild. Operation MidnightEclipse, which involves a critical command injection vulnerability in Palo Alto Networks PAN-OS software, identified as CVE-2024-3400. The vulnerability, which allows unauthenticated attackers to execute arbitrary code with root privileges, affects PAN-OS versions configured with GlobalProtect gateway or portal and device telemetry enabled1. The brief includes information on the vulnerability’s scope, post-exploitation activity, interim guidance, and mitigation strategies, such as applying hotfix releases and enabling Threat ID 95187. It also discusses the Unit 42 Managed Threat Hunting queries and indicators of compromise related to the UPSTYLE backdoor and command and control infrastructure used in the attacks. Users are advised to refer to the Palo Alto Networks Security Advisory for detailed remediation guidance. https://lnkd.in/g8C6CYHQ
CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
security.paloaltonetworks.com
-
“Our goal is to eliminate Patch Tuesdays. Essentially you’re always staying ahead of your threats and your vulnerabilities by leveraging Tanium’s Autonomous Endpoint Management to do that.” - #Tanium CEO Dan Streetman More on how #TaniumAEMI is helping cut the risks of breaches with patch management.
VentureBeat | How AI is helping cut the risks of breaches with patch management
https://venturebeat.com
-
“Our goal is to eliminate Patch Tuesdays. Essentially you’re always staying ahead of your threats and your vulnerabilities by leveraging Tanium’s Autonomous Endpoint Management to do that.” - #Tanium CEO Dan Streetman More on how #TaniumAEMI is helping cut the risks of breaches with patch management.
VentureBeat | How AI is helping cut the risks of breaches with patch management
https://venturebeat.com
-
MPGSOC Team Lead/Project Manager at MindPoint Group | Certified Scrum Master, PMP | Sec+ | Threat Intelligence Enthusiast
Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. "In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker's chosen filename," Chandan B. N., senior director of product security at Palo Alto Networks, said. "The second bug (trusting that the files were system-generated) used the filenames as part of a command." It's worth noting that while neither of the issues are critical enough on their own, when chained together, they could lead to unauthenticated remote shell command execution. Palo Alto Networks said that the threat actor behind the zero-day exploitation of the flaw, UTA0218, carried out a two-stage attack to achieve command execution on susceptible devices. The activity is being tracked under the name Operation MidnightEclipse. More details in The Hacker News story below!
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack
thehackernews.com
-
Ivanti has released patches to address multiple critical security vulnerabilities in its Endpoint Manager (EPM) that could be exploited to achieve remote code execution under certain conditions. Six of the ten vulnerabilities—designated CVE-2024-29822 through CVE-2024-29827, with CVSS scores of 9.6—are SQL injection flaws that allow an unauthenticated attacker within the same network to execute arbitrary code. The remaining four vulnerabilities—CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846, each with CVSS scores of 8.4—require the attacker to be authenticated to exploit similar flaws.
Ivanti Patches Multiple Critical Security Vulnerabilities in Endpoint Manager and Other Products - Tech BSB
https://techbsb.com
-
Multiple attacks exploit vulnerabilities in an IT remote access tool to deliver a variety of different payloads into business environments - https://lnkd.in/eb2G2P5E
ConnectWise ScreenConnect attacks deliver malware
https://news.sophos.com/en-us/