The Treasury hacked by a Chinese APT

The US Department of Treasure announced that its systems have been compromised by a Chinese APT in early December and that data was stolen from workstations. The threat actor apparently got access through an API key stolen from BeyondTrust and used in a cloud service aimed at providing remote technical support to the Department’s users. BeyondTrust is a third-party vendor providing remote access solutions to 20K customers worldwide, including 75% of Fortune 100 companies. Last week, a vulnerability in BeyondTrust (CVE-2024-12356) has been reported as exploited in the wild, even if it is unclear if the two cases are related.

‍

‍

[mitigate]Block access from 24.144.114.85, 142.93.119.175, 157.230.183.1 and 192.81.209.168[/mitigate]

A DOS vulnerability in Palo Alto Firewalls

A Denial-of-Service vulnerability in Palo Alto PAN-OS (CVE-2024-3393) is exploited in the wild. The flaw allows to disable PAN-OS DNS Security feature in configured firewalls, resulting in the firewall’s reboot. However, to exploit the vulnerability attackers may need permissions of authenticated end users via Prisma Access.

‍

[mitigate]For each Anti-spyware profile, change the Log Severity to "none" for all configured DNS Security categories[/mitigate]

Four-Faith vulnerability targeted

An exploited vulnerability in Four-Faith (CVE-2024-12856) exposes more than 15K industrial routers worldwide. The flaw was scanned by the same IP address responsible for exploiting another Four-Faith RCE vulnerability (CVE-2019-12168) two weeks ago.

‍

Block access from 178.215.238[.]91

New Cybersecurity rules for Healthcare organizations

The US Department of Health proposed a set of new cybersecurity rules under the current regulation for healthcare organizations (HIPAA). Among others, the new rules require vulnerability scans every six months and more detailed risk analysis, including “an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities”. It also mandates data restoration within 72 hours after an incident and annual compliance audits.

‍

‍

CISA aims at securing cloud configurations for federal agencies  

Following the growing trend of threat actors targeting cloud environments, CISA will require federal agencies to implement its Secure Cloud Business Applications (SCuBA) initiative. It includes the implementation of configuration baselines for SaaS, automated configuration assessments and integration with CISA monitoring infrastructure.  

‍