Risky Biz News: Unpatched zero-day in Palo Alto Networks is in the wild - Risky Bulletin

Summary8 min read

Risky Business News Summary: Unpatched Zero-Day in Palo Alto Networks is in the Wild

Date Released: November 18, 2024
Host: Claire Aired
Prepared by: Catalyn Kimpanu

1. Zero-Day Vulnerabilities in Palo Alto Networks and Fortinet

Palo Alto Networks Firewall Exploit

The episode opens with alarming news about a zero-day vulnerability in Palo Alto Networks' firewall appliances. Claire Aired reports, “The zero day impacts Palo Alto Network's firewall appliances, while the design weakness affects Fortinet's Windows VPN client. [00:00]” This vulnerability is a pre-authentication remote code execution flaw in the firewall's web management interface. Initially rumored on the Exploit Hacking forum, Palo Alto Networks confirmed active exploitation and promptly released a security patch. They have advised customers to restrict access to the management panel to trusted IPs to mitigate risks.

Fortinet VPN Client Design Flaw

Complementing the Palo Alto issue, Fortinet faces scrutiny over a design weakness in its Windows VPN client. Described by Velexity as a zero-day vulnerability, Claire clarifies, “but looks more like a design weakness to us. [00:04]” This flaw permits attackers to extract VPN credentials in clear text from the client's memory. Notably, Velexity links this weakness to systems previously infected with the Deep Data infostealer malware, associated with the threat actor Brazen Bamboo. Fortinet has yet to release a fix, heightening concerns within the cybersecurity community.

2. Chinese Cyber Espionage Targets US Telcos

T-Mobile Among Salt Typhoon Victims

A significant breach has been reported involving US wireless carrier T-Mobile, now the fourth victim of the Chinese cyber espionage group Salt Typhoon. Claire states, “US wireless carrier T Mobile has been named as the fourth victim of Chinese cyber espionage group Salt Typhoon. [00:10]” This breach is part of a broader campaign targeting US telecommunications companies, including AT&T, Lumen, and Verizon. The intrusions have enabled Chinese hackers to surveil American political figures and compromise law enforcement wiretapping systems, escalating national security concerns.

3. Leadership Changes at CISA

Departure of CISA Director Jen Easterly

In a notable leadership update, CISA Director Jen Easterly announced her departure, effective January 20, coinciding with President Donald Trump's inauguration. Claire reports, “CISA director Jen Easterly will depart her role on January 20 next year, the day Donald Trump is inaugurated as the next US President. [00:15]” Easterly has been at the helm since July 2021, and her departure will see several staff members leaving the agency simultaneously, potentially impacting ongoing cybersecurity initiatives.

4. NSO Group's Continued Exploitation of WhatsApp

Development of New WhatsApp Exploits

Despite legal challenges, Israeli spyware firm NSO Group persists in developing WhatsApp exploits. Claire highlights, “Israeli spyware company NSO Group continue to develop and use WhatsApp exploits even after Meta sued the company in a US court. [00:20]” Unsealed court documents reveal NSO's creation of three exploits—Eden, Heaven, and Hummingbird—used in the wild post Meta's 2020 lawsuit. Disturbingly, it’s disclosed that NSO employees directly deployed these exploits, contradicting the company's prior claims of ignorance regarding customer usage of their tools.

5. Iranian Cyber Attacks on Israeli Athletes

Phishing and Malware During Paris Olympics

France's counter-espionage agency reported that Iranian cyber group Yemenay Pasagad targeted Israeli athletes during the Paris Olympic Games. Claire explains, “France's counter espionage agency says an Iranian cyber group named Yemenay Pasagad targeted Israeli athletes during the Paris Olympic Games. [00:25]” The operation included phishing, mobile malware, data leaks, and death threats. This group, previously known for meddling in the US 2020 presidential election by hacking voter websites, demonstrates a persistent threat to international events and democratic processes.

6. Ransomware Impact on Phone House

€6.5 Million Fine for Data Breach

Spain's data protection agency has fined the electronics retailer Phone House €6.5 million following a 2021 security breach. Claire notes, “Spain's data protection agency has fined electronics retail chain store phone house 6.5 million euros over a 2021 security breach. [00:30]” The breach involved the Babuk ransomware, which leaked personal details of 13 million customers after Phone House refused to pay the ransom. The fine was due to the company's failure to anonymize customer data and its storage of information in plain text, highlighting the severe repercussions of inadequate data protection measures.

7. Cryptocurrency Theft and Law Enforcement Actions

Thaler Defi Crypto Asset Theft

A threat actor successfully stole over $25 million in crypto assets from the Thaler Defi platform. Claire states, “A threat actor has stolen over $25 million in crypto assets from the Thaler Defi platform. [00:35]” Thaler has negotiated the return of all funds in exchange for a $300,000 bounty payment and plans to refund users once their codebase is re-audited.

Sentencing of Cryptocurrency Hackers

US authorities have sentenced Ilya Lichtenstein to five years in prison for hacking cryptocurrency exchange Bitfinex, where he stole almost 120,000 bitcoins worth $70 million at the time. Additionally, Larry D. Dean Harman received a three-year sentence for operating a Dark Web cryptocurrency mixer, Helix, which laundered over $310 million linked to drug markets. These cases underscore the intensified legal actions against cybercriminals in the cryptocurrency domain.

8. SIM Swapping and Cryptocurrency Mixer Operations

Indiana SIM Swapping Scheme

Three Indiana residents have been charged for their involvement in a SIM swapping scheme that hijacked accounts, stole funds, and demanded ransoms. Claire reports, “US authorities have charged three Indiana residents over a SIM swapping scheme. [00:40]” This group performed swaps both for personal gain and in exchange for money, highlighting the ongoing threat of identity theft and financial fraud.

Australian Distributor Sentenced for Encrypted Device Distribution

Osema El Hasan from Sydney has been sentenced to over five years in prison for distributing non-encrypted devices to criminal syndicates. Claire explains, “US authorities have sentenced an Australian man to over five years in prison for participating in a scheme to distribute a non encrypted devices to criminal syndicates. [00:45]” El Hasan was involved in the ANOM encrypted phone service and was extradited to the US, signaling strict international cooperation against cyber-enabled crimes.

9. Botnet Exploiting Geoserver Vulnerabilities

Geoserver Camera Hijacks

A botnet operator is exploiting a zero-day vulnerability to commandeer Geoserver cameras and video servers. Claire details, “A botnet operator is using a zero day vulnerability to take over geoserver cameras and video servers. [00:50]” The attack leverages an unauthenticated command injection in the firmware of end-of-life devices, with approximately 17,000 vulnerable systems currently exposed on the Internet. These findings emphasize the risks associated with legacy hardware lacking ongoing support and updates.

10. Vulnerabilities in Gogs and WordPress Plugins

Gogs Version Control System Exploit

Security researcher Fisac has unveiled a vulnerability in the Gogs version control system that allows malicious code execution on servers. Claire notes, “A security researcher has published details and proof of concept code for a vulnerability in the gogs version control system after the project failed to release a patch. [00:55]” The lack of a patch necessitates immediate preventive measures, including disabling user self-registration and enforcing multi-factor authentication (MFA).

WordPress Security Plugin Flaw

A critical vulnerability has been discovered in the "Really Simple Security" WordPress plugin, affecting over 4 million websites. Claire states, “and finally, security researchers have discovered a major vulnerability in a WordPress security plugin installed on more than 4 million websites. [01:00]” This authentication bypass flaw allows attackers to access any account on a WordPress site, deemed one of the most severe vulnerabilities Wordfence researchers have encountered in their 12-year history.

11. Technological Advances and Regulatory Developments

Google's Shielded Email Feature

Google is enhancing Gmail with "Shielded Email," allowing users to create random-looking usernames for online forms to mask their real email addresses. “Google is working on a new email masking feature for its Gmail service called Shielded Email. [01:05]” This feature, similar to offerings from Apple and Mozilla, includes the ability to delete aliases if they begin receiving spam, thereby improving user privacy and security.

Google's Security Improvements to C Code

To protect against spatial memory vulnerabilities, Google has upgraded its C code by implementing a hardened version of the LIBC library across its services, including Search, Gmail, Drive, YouTube, and Maps. Claire reports, “Google has rolled out security improvements to its C code to protect against spatial memory vulnerabilities. [01:10]” This enhancement, introduced in Chrome in 2022, results in only a minimal 0.3% performance impact while significantly bolstering security.

O2's AI System Against Phone Scammers

British ISP O2 has developed an AI system named Daisy Granny, which mimics an elderly lady to deceive phone scammers and prolong calls. “British Internet service provider O2 says it developed an AI system that mimics an elderly lady to fight off phone fraud. [01:15]” The AI successfully keeps scammers engaged for over 40 minutes, reducing the efficacy of phone-based fraud attempts.

12. Regulatory Actions and Industry Responses

US Senator Targets Steam on Extremist Content

Senator Mark Warner has urged the gaming platform Steam to intensify its moderation of extremist and hateful content. Claire states, “A US senator has asked gaming platform Steam to crack down on extremist and hateful content on its platform. [01:20]” Citing an Anti-Defamation League report, Warner highlighted that over 1.5 million users and 73,000 groups shared extremist symbols, prompting calls for enhanced content regulation. This marks the third Congressional inquiry into Steam's moderation practices over three years.

FTC’s Success in Reducing Robocalls

The US Federal Trade Commission (FTC) announced a significant reduction in telemarketing calls, halving their numbers since 2021. “The US Federal Trade Commission says the number of telemarketing calls has halved since 2021. [01:25]” This decline is attributed to new regulations banning unsolicited calls and the FTC's crackdown on illegal telemarketing operations, showcasing effective regulatory enforcement in combating nuisance calls.

Conclusion

In this episode of Risky Business News, Claire Aired provides a comprehensive overview of the latest cybersecurity threats, vulnerabilities, and regulatory actions impacting both enterprises and consumers globally. From critical zero-day exploits in major firewall and VPN products to sophisticated espionage campaigns targeting telecommunications and political entities, the landscape remains fraught with challenges. Additionally, advancements in defensive technologies, such as AI-driven fraud prevention and enhanced email security features, alongside significant legal actions against cybercriminals, highlight the dynamic interplay between threat actors and security measures. This detailed analysis offers valuable insights for IT professionals, cybersecurity enthusiasts, and stakeholders aiming to stay informed about the evolving digital threat environment.

End of Summary

Loading summary

Transcript1 lines

[00:04]
Claire Aired
Flaws used in the wild in Fortinet and Palo Alto Network software T Mobile joins the list of Salt Typhoon victims, NSO developed a new WhatsApp exploit after a lawsuit and a British telco develops an AI that keeps phone scammers talking in circles. This is Risky Business news prepared by Catalyn Kimpanu and read by me Claire aired. It's the 18th of November and in today's top story, details of a zero day vulnerability in Palo Alto Network software and a design flaw in a Fortinet product were published on Friday, every IT engineer's favourite day for emergency security procedures. The zero day impacts Palo Alto Network's firewall appliances, while the design weakness affects Fortinet's Windows VPN client. The Palo Alto zero day is believed to be related to an alleged exploit sold on the Exploit Hacking forum earlier this month. The company issued a security alert about the rumoured exploit 10 days ago and has now updated the advisory to confirm live exploitation. The zero day is a pre auth remote code execution in the Firewalls web management interface. Palo Alto Networks has asked customers to restrict access to the management panel to trusted IPs only and to it releases a patch. The Fortinet weakness is described by Velexity as a zero day vulnerability, but looks more like a design weakness to us. It allows attackers to extract VPN credentials in clear text from the VPN client's memory. Security firm Velexity says the weakness was exploited on systems that were previously infected with the Deep Data infostealer malware. Fortinet is yet to release a fix for the bug. Velexity linked the malware to a threat actor it tracks as Brazen Bamboo. Neither of the Two issues have CVEs. US wireless carrier T Mobile has been named as the fourth victim of Chinese cyber espionage group Salt Typhoon. The breach was part of a large scale campaign that targeted US telcos and which also compromised AT&T lumen and Verizon. The breaches allowed Chinese hackers to spy on American political figures and compromise law enforcement wiretapping systems. CISA director Jen Easterly will depart her role on January 20 next year, the day Donald Trump is inaugurated as the next US President. Easterly has already notified staff via email and at an all hands staff meeting. According to a Next Gov report. Several of her staff will also depart the agency on the same day. Easterly has served as Sisa's head since July 2021. Israeli spyware company NSO Group continue to develop and use WhatsApp exploits even after Meta sued the company in a US court. Unsealed court documents reveal that NSO developed three exploits named Eden, Heaven and Hummingbird, with the last being used in the wild months after Meta's 2020 lawsuit. In addition, court documents also reveal that NSO employees were the ones deploying the exploits against customers targets. This contradicts previous NSO statements that the company didn' know how customers were using its hacking tools. France's counter espionage agency says an Iranian cyber group named Yemenay Pasagad targeted Israeli athletes during the Paris Olympic Games. According to French news site Mediapart, the operation included phishing, mobile malware, data leaks and even death threats. The group is primarily known for interfering in the US 2020 presidential election when it hacked voter websites and posed right wing group Proud Boys to send threatening emails to Democrat voters. Spain's data protection agency has fined electronics retail chain store phone house 6.5 million euros over a 2021 security breach. The company was the victim of the Babuk ransomware, which leaked the personal details of 13 million customers after Phonehouse refused to pay a ransom. Spain's data protection agency fined Phone House for failing to anonymise customer data and for storing the information plain text. Phone House is the largest telco electronics retail chain in Europe, with over 400 stores. A threat actor has stolen over $25 million in crypto assets from the Thaler Defi platform. The company says it immediately identified the attacker and negotiated a return of all funds for a $300,000 bounty payment. Thaler says it will return all stolen funds to user accounts once it re audits its code base. Germany's statistics agency Destatus is investigating a possible breach of its IT network after some of its data was put up for sale by pro Russian hackers. The agency has taken its IDEV data sharing system offline while it investigates the incident further. The system is used by private companies and state and federal governments to share statistical data and reports. Google is working on a new email masking feature for its Gmail service called Shielded Email. The feature will allow users to generate generate random looking usernames to use in online forms and hide their real email addresses. Users will be able to delete the email aliases if they start receiving spam through one of them. The feature is not new, as both Apple and Mozilla already offer a similar service in Icloud, Hide My Email and Firefox Relay. Google has rolled out security improvements to its C code to protect against spatial memory vulnerabilities. These are vulnerabilities such as buffer overflow and out of bounds access. The company says it's now using a hardened version of the LIBC library in its production environments. The code is now live in search, Gmail Drive, YouTube and Maps after it was initially tested in Chrome in 2022. Google says the more robust library only introduces a 0.3% performance impact. British Internet service provider O2 says it developed an AI system that mimics an elderly lady to fight off phone fraud. The system detects suspected phone scammers and keeps them on the phone for as long as possible, posing as a gullible victim. O2 says the new Daisy Granny AI has successfully kept multiple scammers on the phone for more than 40 minutes at a time. A US senator has asked gaming platform Steam to crack down on extremist and hateful content on its platform. Senator Mark Warner cited a recent report from the Anti Defamation League that found over 1.5 million users and over 73,000 group sharing at least one potentially extremist or hateful symbol, text or keyword. According to the Verge, this is the third time in three years that Congress has asked Steem about its moderation practices. The platform has been one of the slowest to address hateful conduct, having only added moderation tools to ITS forums in 2018. The US Federal Trade Commission says the number of telemarketing calls has halved since 2021. The agency says 2024 is the third year in a row when it has registered a dec robocalls across the U.S. the FTC credits the decline to new rules banning unwanted calls and its crackdown on illegal telemarketing services. US Authorities have sentenced Ilya Lichtenstein to five years in prison for hacking cryptocurrency exchange Bitfinex. Officials say lichtenstein stole almost 120,000 bitcoin from the company's wallets in August 2016. He laundered the stolen funds with the help of his wife, Heather Morgan, until they were both detained in February twenty both pleaded guilty to their crimes. Besides his prison sentence, Lichtenstein will also serve three years of supervised release. Morgan is scheduled to be sentenced this week. The funds were worth $70 million at the time of the hack, but are now valued at more than 10.5 billion. We're still hoping for an enhanced sentence for Heather's crimes against music. A US judge has sentenced an Ohio man to three years in prison for operating a Dark web based cryptocurrency mixer, officials say. Larry D. Dean Harman was the administrator of Helix, a service that laundered over $310 million in crypto assets linked to dark web drug markets. Harman ran Helix between 2014 and 2017 and was arrested in 2020. Harmon's brother is already serving a prison sentence of four years and three months for hiding some of Helix Mix's funds in his personal accounts. US authorities have sentenced an Australian man to over five years in prison for participating in a scheme to distribute a non encrypted devices to criminal syndicates. Osema El Hasan of Sydney, Australia, was one of 17 suspects detained in 2021 in connection to the ANOM encrypted phone service, according to officials. El Hasan worked as the company's distributor in Colombia, where he was arrested and later extradited to the U.S. u.S. Authorities have charged three Indiana residents over a SIM swapping scheme. Officials say the group performed sim swaps for themselves, but also in exchange for money for other individuals. The TR allegedly hijacked accounts, stole funds from their victims and also demanded ransoms to restore access to stolen accounts. The three suspects were arrested last week. A botnet operator is using a zero day vulnerability to take over geoserver cameras and video servers. The attacks were spotted last week by Taiwan Cert and are exploiting an unauthenticated command injection in the device's firmware. The devices have reached end of life and no patch is available. According to the Shadow Server foundation, There are around 17,000 vulnerable systems currently connected to the Internet. A security researcher has published details and proof of concept code for a vulnerability in the gogs version control system after the project failed to release a patch. The vulnerability allows threat actors to run malicious code on GOG's version control servers. While the vulnerability does not have a patch, the only upside is that attackers need to access an account to run the exploit. Security researcher Fisac has urged gogs admins to disable user self registration and enforce MFA to prevent attacks. And finally, security researchers have discovered a major vulnerability in a WordPress security plugin installed on more than 4 million websites. The bug is an authentication bypass in really simple security and allows attackers to access any account on a WordPress site. Wordfence researchers describe the bug as one of the most serious vulnerabilities they've reported in the company's 12 year history. And that is all for this podcast edition. Thanks for your company.