Risky Business News Summary: Unpatched Zero-Day in Palo Alto Networks is in the Wild

Date Released: November 18, 2024
Host: Claire Aired
Prepared by: Catalyn Kimpanu

1. Zero-Day Vulnerabilities in Palo Alto Networks and Fortinet

Palo Alto Networks Firewall Exploit

The episode opens with alarming news about a zero-day vulnerability in Palo Alto Networks' firewall appliances. Claire Aired reports, “The zero day impacts Palo Alto Network's firewall appliances, while the design weakness affects Fortinet's Windows VPN client. [00:00]” This vulnerability is a pre-authentication remote code execution flaw in the firewall's web management interface. Initially rumored on the Exploit Hacking forum, Palo Alto Networks confirmed active exploitation and promptly released a security patch. They have advised customers to restrict access to the management panel to trusted IPs to mitigate risks.

Fortinet VPN Client Design Flaw

Complementing the Palo Alto issue, Fortinet faces scrutiny over a design weakness in its Windows VPN client. Described by Velexity as a zero-day vulnerability, Claire clarifies, “but looks more like a design weakness to us. [00:04]” This flaw permits attackers to extract VPN credentials in clear text from the client's memory. Notably, Velexity links this weakness to systems previously infected with the Deep Data infostealer malware, associated with the threat actor Brazen Bamboo. Fortinet has yet to release a fix, heightening concerns within the cybersecurity community.

2. Chinese Cyber Espionage Targets US Telcos

T-Mobile Among Salt Typhoon Victims

A significant breach has been reported involving US wireless carrier T-Mobile, now the fourth victim of the Chinese cyber espionage group Salt Typhoon. Claire states, “US wireless carrier T Mobile has been named as the fourth victim of Chinese cyber espionage group Salt Typhoon. [00:10]” This breach is part of a broader campaign targeting US telecommunications companies, including AT&T, Lumen, and Verizon. The intrusions have enabled Chinese hackers to surveil American political figures and compromise law enforcement wiretapping systems, escalating national security concerns.

3. Leadership Changes at CISA

Departure of CISA Director Jen Easterly

In a notable leadership update, CISA Director Jen Easterly announced her departure, effective January 20, coinciding with President Donald Trump's inauguration. Claire reports, “CISA director Jen Easterly will depart her role on January 20 next year, the day Donald Trump is inaugurated as the next US President. [00:15]” Easterly has been at the helm since July 2021, and her departure will see several staff members leaving the agency simultaneously, potentially impacting ongoing cybersecurity initiatives.

4. NSO Group's Continued Exploitation of WhatsApp

Development of New WhatsApp Exploits

Despite legal challenges, Israeli spyware firm NSO Group persists in developing WhatsApp exploits. Claire highlights, “Israeli spyware company NSO Group continue to develop and use WhatsApp exploits even after Meta sued the company in a US court. [00:20]” Unsealed court documents reveal NSO's creation of three exploits—Eden, Heaven, and Hummingbird—used in the wild post Meta's 2020 lawsuit. Disturbingly, it’s disclosed that NSO employees directly deployed these exploits, contradicting the company's prior claims of ignorance regarding customer usage of their tools.

5. Iranian Cyber Attacks on Israeli Athletes

Phishing and Malware During Paris Olympics

France's counter-espionage agency reported that Iranian cyber group Yemenay Pasagad targeted Israeli athletes during the Paris Olympic Games. Claire explains, “France's counter espionage agency says an Iranian cyber group named Yemenay Pasagad targeted Israeli athletes during the Paris Olympic Games. [00:25]” The operation included phishing, mobile malware, data leaks, and death threats. This group, previously known for meddling in the US 2020 presidential election by hacking voter websites, demonstrates a persistent threat to international events and democratic processes.

6. Ransomware Impact on Phone House

€6.5 Million Fine for Data Breach

Spain's data protection agency has fined the electronics retailer Phone House €6.5 million following a 2021 security breach. Claire notes, “Spain's data protection agency has fined electronics retail chain store phone house 6.5 million euros over a 2021 security breach. [00:30]” The breach involved the Babuk ransomware, which leaked personal details of 13 million customers after Phone House refused to pay the ransom. The fine was due to the company's failure to anonymize customer data and its storage of information in plain text, highlighting the severe repercussions of inadequate data protection measures.

7. Cryptocurrency Theft and Law Enforcement Actions

Thaler Defi Crypto Asset Theft

A threat actor successfully stole over $25 million in crypto assets from the Thaler Defi platform. Claire states, “A threat actor has stolen over $25 million in crypto assets from the Thaler Defi platform. [00:35]” Thaler has negotiated the return of all funds in exchange for a $300,000 bounty payment and plans to refund users once their codebase is re-audited.

Sentencing of Cryptocurrency Hackers

US authorities have sentenced Ilya Lichtenstein to five years in prison for hacking cryptocurrency exchange Bitfinex, where he stole almost 120,000 bitcoins worth $70 million at the time. Additionally, Larry D. Dean Harman received a three-year sentence for operating a Dark Web cryptocurrency mixer, Helix, which laundered over $310 million linked to drug markets. These cases underscore the intensified legal actions against cybercriminals in the cryptocurrency domain.

8. SIM Swapping and Cryptocurrency Mixer Operations

Indiana SIM Swapping Scheme

Three Indiana residents have been charged for their involvement in a SIM swapping scheme that hijacked accounts, stole funds, and demanded ransoms. Claire reports, “US authorities have charged three Indiana residents over a SIM swapping scheme. [00:40]” This group performed swaps both for personal gain and in exchange for money, highlighting the ongoing threat of identity theft and financial fraud.

Australian Distributor Sentenced for Encrypted Device Distribution

Osema El Hasan from Sydney has been sentenced to over five years in prison for distributing non-encrypted devices to criminal syndicates. Claire explains, “US authorities have sentenced an Australian man to over five years in prison for participating in a scheme to distribute a non encrypted devices to criminal syndicates. [00:45]” El Hasan was involved in the ANOM encrypted phone service and was extradited to the US, signaling strict international cooperation against cyber-enabled crimes.

9. Botnet Exploiting Geoserver Vulnerabilities

Geoserver Camera Hijacks

A botnet operator is exploiting a zero-day vulnerability to commandeer Geoserver cameras and video servers. Claire details, “A botnet operator is using a zero day vulnerability to take over geoserver cameras and video servers. [00:50]” The attack leverages an unauthenticated command injection in the firmware of end-of-life devices, with approximately 17,000 vulnerable systems currently exposed on the Internet. These findings emphasize the risks associated with legacy hardware lacking ongoing support and updates.

10. Vulnerabilities in Gogs and WordPress Plugins

Gogs Version Control System Exploit

Security researcher Fisac has unveiled a vulnerability in the Gogs version control system that allows malicious code execution on servers. Claire notes, “A security researcher has published details and proof of concept code for a vulnerability in the gogs version control system after the project failed to release a patch. [00:55]” The lack of a patch necessitates immediate preventive measures, including disabling user self-registration and enforcing multi-factor authentication (MFA).

WordPress Security Plugin Flaw

A critical vulnerability has been discovered in the "Really Simple Security" WordPress plugin, affecting over 4 million websites. Claire states, “and finally, security researchers have discovered a major vulnerability in a WordPress security plugin installed on more than 4 million websites. [01:00]” This authentication bypass flaw allows attackers to access any account on a WordPress site, deemed one of the most severe vulnerabilities Wordfence researchers have encountered in their 12-year history.

11. Technological Advances and Regulatory Developments

Google's Shielded Email Feature

Google is enhancing Gmail with "Shielded Email," allowing users to create random-looking usernames for online forms to mask their real email addresses. “Google is working on a new email masking feature for its Gmail service called Shielded Email. [01:05]” This feature, similar to offerings from Apple and Mozilla, includes the ability to delete aliases if they begin receiving spam, thereby improving user privacy and security.

Google's Security Improvements to C Code

To protect against spatial memory vulnerabilities, Google has upgraded its C code by implementing a hardened version of the LIBC library across its services, including Search, Gmail, Drive, YouTube, and Maps. Claire reports, “Google has rolled out security improvements to its C code to protect against spatial memory vulnerabilities. [01:10]” This enhancement, introduced in Chrome in 2022, results in only a minimal 0.3% performance impact while significantly bolstering security.

O2's AI System Against Phone Scammers

British ISP O2 has developed an AI system named Daisy Granny, which mimics an elderly lady to deceive phone scammers and prolong calls. “British Internet service provider O2 says it developed an AI system that mimics an elderly lady to fight off phone fraud. [01:15]” The AI successfully keeps scammers engaged for over 40 minutes, reducing the efficacy of phone-based fraud attempts.

12. Regulatory Actions and Industry Responses

US Senator Targets Steam on Extremist Content

Senator Mark Warner has urged the gaming platform Steam to intensify its moderation of extremist and hateful content. Claire states, “A US senator has asked gaming platform Steam to crack down on extremist and hateful content on its platform. [01:20]” Citing an Anti-Defamation League report, Warner highlighted that over 1.5 million users and 73,000 groups shared extremist symbols, prompting calls for enhanced content regulation. This marks the third Congressional inquiry into Steam's moderation practices over three years.

FTC’s Success in Reducing Robocalls

The US Federal Trade Commission (FTC) announced a significant reduction in telemarketing calls, halving their numbers since 2021. “The US Federal Trade Commission says the number of telemarketing calls has halved since 2021. [01:25]” This decline is attributed to new regulations banning unsolicited calls and the FTC's crackdown on illegal telemarketing operations, showcasing effective regulatory enforcement in combating nuisance calls.

Conclusion

In this episode of Risky Business News, Claire Aired provides a comprehensive overview of the latest cybersecurity threats, vulnerabilities, and regulatory actions impacting both enterprises and consumers globally. From critical zero-day exploits in major firewall and VPN products to sophisticated espionage campaigns targeting telecommunications and political entities, the landscape remains fraught with challenges. Additionally, advancements in defensive technologies, such as AI-driven fraud prevention and enhanced email security features, alongside significant legal actions against cybercriminals, highlight the dynamic interplay between threat actors and security measures. This detailed analysis offers valuable insights for IT professionals, cybersecurity enthusiasts, and stakeholders aiming to stay informed about the evolving digital threat environment.

End of Summary