A new PAN-OS vulnerability widely targeted

A new high-severity authentication bypass vulnerability in the PAN-OS management web interface (CVE-2024-0108) affects Palo Alto Firewalls. The vulnerability is currently targeted by various threat actors. Notably, its exploit appears to have been developed through reverse engineering of a previously exploited PAN-OS vulnerability (CVE-2024-0012). While this flaw alone poses risks to system integrity and confidentiality, an attacker would need to chain it with another PAN-OS flaw (CVE-2024-9474) to execute remote commands on the interface.

‍

[mitigate]Restrict Access to Management Interfaces; Monitor with Tenable Plugin 216167. [/mitigate]

Is Mustang Panda moonlighting?

The same PAN-OS vulnerability (CVE-2024-0012) has allegedly been used by the RA World ransomware against an Asian software company in November 2024. Strangely, the group leveraged the same PlugX backdoor typical of the activities of the Chinese cyberespionage state actor Mustang Panda (aka UNC251), leading to speculations that Mustang Panda uses the “RAWorld” nickname for moonlighting (i.e. side jobs motivated by financial gains).

‍

[mitigate]Under Palo Alto’s Threat Prevention subscription, make sure the relevant Threat IDs (95746/7, 95752/3, 95759 and 95763) are in block mode.[/mitigate]

Mustang Panda also targets a Windows Explorer zero-day

Mustang Panda has also been observed exploiting a zero-day in Windows Explorer GUI, for which a CVE ID has yet to be assigned. However, Microsoft still classifies the flaw as “low severity”.

‍

SonicWall Firewalls under exploitation

Soon after the publication of a POC, exploit attempts have been observed against a SSLVPN authentication bypass in SonicWall firewalls (CVE-2024-53704). Among the threat groups involved in this campaign is ABC Ransomware (aka CryptoWall), a non-sophisticated group which emerged in 2021 and was until now focused on phishing emails for initial access. Around 4.5K vulnerable devices remain Internet-reachable.

‍

‍

Unimicron compromised in a cyber attack

Sarcoma Ransomware took credit for an attack on Unimicron Technology, a large Taiwanese printed circuit board (PCB) manufacturer. Sarcoma is an East European double extortion group that emerged in October 2024 and compromised more than 40 organizations in the US, Canada, Australia, and Spain. For initial access it exploits one-day vulnerabilities, including RDP flaws.

‍

Surge in the exploitation of two old PHP flaws

Dozens of malicious IP addresses are recently attempting to exploit two old critical PHP vulnerabilities: the ThinkPHP flaw (CVE-2022-47945) allowing RCE within the ThinPHP framework which, despite having been exploited in the past by Chinese actors,  is not tagged in the KEV list; and a flaw in OwnCloud GraphAPI (CVE-2023-49103) resulting in the disclosure of the PHP environment’s configuration details and which was among the most exploited flaws of 2023. For an unspecified reason, from early February attacks targeting the two flaws have surged by hundreds of percents.

‍

In ownCloud, remove the vulnerable file /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

A PostgreSQL zero-day also used in the Treasury hack

Security researchers discovered that the exploitation of the BeyondTrust vulnerability (CVE-2024-12356) also involved exploiting a zero-day in PostgreSQL (CVE-2025-1094). The flaw allows SQL statements with invalid UTF-8 characters to generate SQL injections in PostgreSQL psql tool. Last December, the Chinese group Silk Typhoon (aka Hafnium) leveraged the BeyondTrust flaw to infiltrate more than 20 organizations, including the the US Department of Treasury.

‍

Salt Typhoon target Cisco flaws

The Chinese Salt Typhoon (aka UNC2286) exploited vulnerabilities in 1K unpatched Cisco network devices in late December and early January, mostly against research organizations in  in telecommunications, engineering, and technology. Among others, ISPs from the US, the UK, South Africa and Thailand were compromised. The flaws include a privilege escalation vulnerability in the web UI feature of Cisco IOS XE software (CVE-2023-20198), used for initial access; and another privilege escalation vulnerability (CVE-2023-20273) used to gain root privileges. Salt Typhoon is known for its recent compromise of nine major US telecommunications companies, including Verizon, AT&T, and Lumen.

‍

‍

An initial broker for APT44 exploits notorious vulnerabilities

The GRU military unit 74455, nicknamed BadPilot, has been revealed as sub-group of the infamous Russian state actor Sandworm (aka APT44), known for its wide scale disruptive attacks, such as the NotPetya campaign, the hack of the 2018 Olympics and the attack on the Danish energy sector. Since 2021, BadPilot operates as an initial access broker for Sandworm, infiltrating organizations in sectors like energy, oil and gas, telecommunications, shipping, arms manufacturing and government. It seems focused on the exploitation of notorious vulnerabilities, including in ConnectWise ScreenConnect (CVE-2024-1709), FortiClientEMS (CVE-2023-48788), Zimbra (CVE-2022-41352), OpenFire (CVE-2023-32315), JetBrains TeamCity (CVE-2023-42793) and Microsoft Outlook (CVE-2023-23397).

‍

‍

RansomHub fails to exploit a PAN-OS flaw

In a recent campaign, RansomHub, the most prominent ransomware group worldwide with more than 600 compromised organizations in 2024, has failed to exploit the widely exploited flaw in Palo Alto PAN-OS (CVE-2024-3400) for initial access, and followingly shifted to brute force against a VPN service. However, in post-compromise stage, the group succeeded to leveraged the NoPac flaw in Microsoft Active Directory (CVE-2021-42278) and the ZeroLogon flaw (CVE-2020-1472) to escalate privileges and reach access to domain controllers.

‍

[mitigate]For CVE-2021-42278: Add validation checks on the sAMAccountName and UserAccountControl attributes of computer accounts created by users who do not have administrator rights.[/mitigate]

An emerging threat abuses hybrid environments

BlackLock (aka El Dorado) is exploiting the synchronization between on-prem and cloud environments, mostly between Active Directory and EntraID, to get initial access to on-prem users. The group, which emerged in March 2024 and is the fastest growing Ransomware-as-a-Service for 2025, uses a custom malware targeting Windows, Linux and ESXi systems. It has also shown interest in developing capabilities against Microsoft Entra Connect and other IAM tools.

‍