Lunar Peek - a PAN-OS exploited vulnerability
In an operation named Lunar Peek, a Palo Alto PAN-OS zero-day (CVE-2024-0012) has been exploited in the wild, in a limited scope so far. The authentication bypass flaw enables to escalate privileges to admin and has been possibly followed by the exploitation of another privilege escalation vulnerability (CVE-2024-9474). Palo Alto Networks apparently learnt about the zero-day from a post offering to sell it on a DarkWeb forum.
Mitigate it
Under Palo Alto’s Threat Prevention subscription, make sure the relevant Threat IDs (95746/7, 95752/3, 95759 and 95763) are in block mode
Palo Alto Expedition exploited
Two vulnerabilities(CVE-2024-9463/4) in another Palo Alto product, Expedition, has been exploited by threat actors. Expedition is a migration tool helping users to import configurations from other third-party vendors. The two SQL and command injection vulnerabilities result in the disclosure of sensitive data (clear text credentials, device configurations and API keys) and to the exfiltration of database information.
Mitigate it
Enforce FortiGate IPS rule “Palo.Alto.Networks.Expedition.CVE-2024-9464.Command.Injection”; Detect with Qualys QIDs 380667 and 731836
APT41 exploits an undocumented Fortinet vulnerability
A custom surveillance malware named DeepData has been observed exploiting a Fortinet zero-day. The malware has been identified with the Chinese state actor APT41 and used in the past for cyber espionage activities against Asian journalists and politicians. The flaw in Fortinet’s Windows VPN client allows attackers to exfiltrate usernames and passwords from the process memory. While it was reported to Fortinet last July, it has not been patched nor assigned with a CVE ID to this day.
Mitigate it
Block access from the IP addresses 103.27.109[.]217, 103.27.108[.]207 and 121.201.109[.]98
Helldown target VMware ESXi servers
The Helldown ransomware is now using a new Linux variant targeting VMware ESXi servers. The group is apparently getting initial access through the exploitation of multiple undocumented vulnerabilities in Zyxel firewalls - possibly themselves gained when Helldown broke into Zyxel three months ago and exfiltrated 250 GB from the company’s network. Helldown is a new group that emerged last August and targets mostly SMBs, with 31 victims in the US so far. It is considered highly aggressive, as it aims to generate important disruptions and financial losses to its victims. Helldown uses a malware variant which shares similarities with Lockbit 3.0.
IoT zero-days acquired online for a new botnet
A threat actor dubbed as Water Barghest has hijacked over 20K IoT devices from various brands into a botnet, which it rents out to hackers looking for anonymity. Water Barghest compromised the devices through the exploitation of IoT zero-days acquired online. The devices were then quickly enrolled into the botnet, sometimes only 10 minutes after exploitation.
IntelBroker hacked Tesla and Ford
Through the breach of a third party, IntelBroker has exfiltrated 116K rows from Tesla’s EV charging stations’ database, apparently concerning only stations in the Middle East. Moreover, it also put on sale 44K customer records he stole from Ford on sale. IntelBroker is a well-known independent hackers targeting high profile organizations and skilled in vulnerability exploitation.
GeoVision flaws used in botnets
A command injection zero-day in in five End-of-Life GeoVision products (CVE-2024-11120) has been exploited by a botnet installing a version of the Mirai malware. GeoVision is a Taiwanese company specializing in video surveillance systems (video recorders, IP cameras, License plate recognition systems etc.).
VMware's difficulties to patch an exploited vulnerability
VMware encounters difficulties in patching a critical vulnerability (CVE-2024-38812/3) in its vCenter servers, now exploited in the wild. The flaw was discovered last June during a Chinese hacking contest. Since then, VMware has released unsuccessful patches on two occasions – and is still working at fixing the flaw. The vulnerability is a heap overflow letting an attacker with network access to send crafted network packets leading to remote code execution.
Mitigate it
Detect with Qualys QID 216334
Two Apple Zero-Days
Apple released patches for twoexploited iOS vulnerabilities impacting Intel-based MAC systems andtriggered through crafted web content on Safari browser. The first (CVE-2024-44308)is a flaw in JavaScriptScore that could lead to remote code execution and has been resolved through enhanced validation checks; The second (CVE-2024-44309) is an XSS vulnerability lying in WebKit and which has been handled with an improved cookie state management.
Germany before elections
Ahead of a federal election next February, Germany warns about the intensification of cyber attacks against the country. According to an official report, no less than 22 threat groups are currently targeting German government, education and defense organizations, while the malware variants used against German victims have increased by 26% over the past year. Furthermore, Berlin emphasizes the importance of mitigating vulnerabilities and revealed a 2023 infiltration of a large IT service provider through the exploitation of a Confluence flaw.
INC Ransom against Hungary
Hungary’s defense procurement agency has been attacked by INC Ransom, a well-known international cybercrime group. The data extortion group is famous for having hacked Xerox and Yamaha Motors through the exploitation of a Citrix Netscaler vulnerability (CVE-2023-3519).
Mitigate it
Mitigate it
Mitigate it
Sources
