A new high-severity authentication bypass vulnerability in the PAN-OS management web interface (CVE-2024-0108) affects Palo Alto Firewalls. The vulnerability is currently targeted by various threat actors. Notably, its exploit appears to have been developed through reverse engineering of a previously exploited PAN-OS vulnerability (CVE-2024-0012). While this flaw alone poses risks to system integrity and confidentiality, an attacker would need to chain it with another PAN-OS flaw (CVE-2024-9474) to execute remote commands on the interface.
[mitigate]Restrict Access to Management Interfaces; Monitor with Tenable Plugin 216167. [/mitigate]
The same PAN-OS vulnerability (CVE-2024-0012) has allegedly been used by the RA World ransomware against an Asian software company in November 2024. Strangely, the group leveraged the same PlugX backdoor typical of the activities of the Chinese cyberespionage state actor Mustang Panda (aka UNC251), leading to speculations that Mustang Panda uses the “RAWorld” nickname for moonlighting (i.e. side jobs motivated by financial gains).
[mitigate]Under Palo Alto’s Threat Prevention subscription, make sure the relevant Threat IDs (95746/7, 95752/3, 95759 and 95763) are in block mode.[/mitigate]
Mustang Panda has also been observed exploiting a zero-day in Windows Explorer GUI, for which a CVE ID has yet to be assigned. However, Microsoft still classifies the flaw as “low severity”.
Soon after the publication of a POC, exploit attempts have been observed against a SSLVPN authentication bypass in SonicWall firewalls (CVE-2024-53704). Among the threat groups involved in this campaign is ABC Ransomware (aka CryptoWall), a non-sophisticated group which emerged in 2021 and was until now focused on phishing emails for initial access. Around 4.5K vulnerable devices remain Internet-reachable.
Sarcoma Ransomware took credit for an attack on Unimicron Technology, a large Taiwanese printed circuit board (PCB) manufacturer. Sarcoma is an East European double extortion group that emerged in October 2024 and compromised more than 40 organizations in the US, Canada, Australia, and Spain. For initial access it exploits one-day vulnerabilities, including RDP flaws.
Dozens of malicious IP addresses are recently attempting to exploit two old critical PHP vulnerabilities: the ThinkPHP flaw (CVE-2022-47945) allowing RCE within the ThinPHP framework which, despite having been exploited in the past by Chinese actors, is not tagged in the KEV list; and a flaw in OwnCloud GraphAPI (CVE-2023-49103) resulting in the disclosure of the PHP environment’s configuration details and which was among the most exploited flaws of 2023. For an unspecified reason, from early February attacks targeting the two flaws have surged by hundreds of percents.
In ownCloud, remove the vulnerable file /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
Security researchers discovered that the exploitation of the BeyondTrust vulnerability (CVE-2024-12356) also involved exploiting a zero-day in PostgreSQL (CVE-2025-1094). The flaw allows SQL statements with invalid UTF-8 characters to generate SQL injections in PostgreSQL psql tool. Last December, the Chinese group Silk Typhoon (aka Hafnium) leveraged the BeyondTrust flaw to infiltrate more than 20 organizations, including the the US Department of Treasury.
The Chinese Salt Typhoon (aka UNC2286) exploited vulnerabilities in 1K unpatched Cisco network devices in late December and early January, mostly against research organizations in in telecommunications, engineering, and technology. Among others, ISPs from the US, the UK, South Africa and Thailand were compromised. The flaws include a privilege escalation vulnerability in the web UI feature of Cisco IOS XE software (CVE-2023-20198), used for initial access; and another privilege escalation vulnerability (CVE-2023-20273) used to gain root privileges. Salt Typhoon is known for its recent compromise of nine major US telecommunications companies, including Verizon, AT&T, and Lumen.
The GRU military unit 74455, nicknamed BadPilot, has been revealed as sub-group of the infamous Russian state actor Sandworm (aka APT44), known for its wide scale disruptive attacks, such as the NotPetya campaign, the hack of the 2018 Olympics and the attack on the Danish energy sector. Since 2021, BadPilot operates as an initial access broker for Sandworm, infiltrating organizations in sectors like energy, oil and gas, telecommunications, shipping, arms manufacturing and government. It seems focused on the exploitation of notorious vulnerabilities, including in ConnectWise ScreenConnect (CVE-2024-1709), FortiClientEMS (CVE-2023-48788), Zimbra (CVE-2022-41352), OpenFire (CVE-2023-32315), JetBrains TeamCity (CVE-2023-42793) and Microsoft Outlook (CVE-2023-23397).
In a recent campaign, RansomHub, the most prominent ransomware group worldwide with more than 600 compromised organizations in 2024, has failed to exploit the widely exploited flaw in Palo Alto PAN-OS (CVE-2024-3400) for initial access, and followingly shifted to brute force against a VPN service. However, in post-compromise stage, the group succeeded to leveraged the NoPac flaw in Microsoft Active Directory (CVE-2021-42278) and the ZeroLogon flaw (CVE-2020-1472) to escalate privileges and reach access to domain controllers.
[mitigate]For CVE-2021-42278: Add validation checks on the sAMAccountName and UserAccountControl attributes of computer accounts created by users who do not have administrator rights.[/mitigate]
BlackLock (aka El Dorado) is exploiting the synchronization between on-prem and cloud environments, mostly between Active Directory and EntraID, to get initial access to on-prem users. The group, which emerged in March 2024 and is the fastest growing Ransomware-as-a-Service for 2025, uses a custom malware targeting Windows, Linux and ESXi systems. It has also shown interest in developing capabilities against Microsoft Entra Connect and other IAM tools.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
Unordered list
Bold text
Emphasis
Superscript
Subscript