Palo Alto patched the critical RCE vulnerability found in PAN-OS versions 10.2, 11.0, and 11.1 (CVE-2024-3400), which can be leveraged when the firewall is configured with GlobalProtect gateway or portal. It has been exploited since March by a threat actor nicknamed UTA0218, suspected of being a state actor possibly affiliated to the notorious North Korean Lazarus. UTA2018 successfully used the flaw to exfiltrate data from different organizations and, in some cases, to deploy a new Python backdoor. Moreover, since the recent publication of a POC, exploitation attempts have quickly increased, hinting at multiple threat groups trying now to leverage the flaw. At first, Palo Alto advised mitigating by disabling the telemetry device, but it has been found inefficient.
Mitigate it
Ensure that vulnerability protection has been applied in GlobalProtect interface and, under the Threat Prevention, use Threat IDs 95187, 95189, and 95191.¹
A new campaign has exploiteda recently discovered vulnerability in Fortinet's FortiClient Enterprise Management Server (CVE-2023-48788) to compromise a media company. The campaign has beenobserved using ScreenConnect and Powerfun as post-exploitation tools. Eventhough the threat group behind the campaign remains unidentified, it seems thatit uses German and Vietnamese in its infrastructure.
Mitigate it
Download the virtual patch provided by Fortinet, available in FMWP database update 27.7501; Using Qualys, scan with QID 379512; Activate the Tenable Plugin 192116.
IntelBroker, a mysterious threat actor putting on sale data exfiltrated from high profile victims, continues its current campaign. It apparently stole 630,000 customers’ information from Accor, the French world-leading hotel group, and broke into the US Homeland Security Department as well as the National Geospatial-Intelligence Agency. Recently, IntelBroker has been able to leverage a Github zero-day to compromise Acuity, a cybersecurity defense contractor.
Daixin Team took responsibility for the recent attack on Omni hotels, which caused a major IT outage impacting hotels’ reservations, door locks and Point-of-Sales. The group also exfiltrated more than 3.5 million visitors’ records. Daixin is a double extortion ransomware group which was in in the past focused on targeting the health sector and is known for exploiting RDP vulnerabilities as an initial access method.
TA558, a financially motivated group usually targeting the hospitality and travel industry in Latin America and Europe, has exploited an old Microsoft Office Equation Editor vulnerability (CVE-2017-11882)against 320 organizations so far. The exploit is triggered by Office documents attached into an email sent to potential victims. For outdated Office versions, the exploit will then run a Visual Basic script aimed to hide a payload into a seemingly innocent JPG image file.
An old vulnerability in Lighttpd web servers, silently patched in 2018 without being assigned a CVE ID, is now exposing Lenovo and Intel servers. The issue raised after AMIMegaRAC BMC developers included unpatched OSS components. Intel and Lenovo declined to fix the vulnerability claiming that the affected devices are end-of-life.
Possibly Chinese threat actors are exploiting five vulnerabilities in OpenMetadata versions 1.3.1 and earlier (CVE-2024-28847, CVE-2024-28253/4/5, CVE-2024-28848). The flaws, reported a month ago by Microsoft, let attackers take control of Internet-exposed Kubernetes workloads of OpenMetadata. While they are currently used for crypto mining purposes, they might also allow lateral movement both inside and outside the clusters.
Multiple threat actors are leveraging a flaw patched one year ago in a TP-Link Archer Wi-Fi router to deploy different botnet variants, including the infamous Mirai. The vulnerability, a command injection flaw in the router’s web interface API, has been leveraged to drop a botnet malware, in some cases to conduct DDoS operations.
Mitigate it
Update FortiGuard AV; ensure your IPS monitors the relevant signature (“CVE-2023-1389:TP-Link.Archer.AX21.Unauthenticated.Command.Injection”).
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
