Daily Brief

Threat actors exploited a zero-day flaw in Palo Alto Networks' PAN-OS software identified as CVE-2024-3400, with a critical CVSS score of 10.0. The activity, named Operation MidnightEclipse, involves a Python backdoor and targeted firewalls with specific configurations enabling GlobalProtect gateway and device telemetry. Attackers managed access meticulously, creating a cron job to fetch and execute commands from an external server, affecting only specific devices. Discovered exploitation procedures include creating a reverse shell, pivoting into internal networks, and data exfiltration. Volexity, which uncovered the in-the-wild exploitation, describes UTA0218 as the moniker assigned to the highly capable threat actor possibly state-backed due to the sophistication and resources evident. U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its KEV catalog, urging federal agencies to apply issued patches to mitigate threats. The overall intent of the attackers appears to involve stealing domain backup keys, active directory credentials, and user data such as saved cookies and login information, aiming for extensive network access and data extraction.

Palo Alto Networks issued a critical alert regarding a zero-day vulnerability in the PAN-OS software of its firewall and VPN products. The flaw, characterized by its CVSS score of 10/10, allows unauthenticated remote code execution with root privileges. Detected exploitation impacts devices configured with PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateways and device telemetry enabled. Initial reports by Volexity revealed that an attacker, named UTA0218, exploited the vulnerability to install a Python backdoor and access sensitive configuration data for lateral movement within networks. The operation, dubbed "MidnightEclipse" by Palo Alto Networks, dates back to at least March 26, 2024, with attacks observed in active continuation. Mitigations include applying a GlobalProtect-specific vulnerability protection or temporarily disabling device telemetry until the systems are patched. Full patches for the vulnerability were promised by Palo Alto Networks to be released by April 14, alongside urgent notifications and support for affected customers.

Telegram addressed a zero-day vulnerability in its Windows app that allowed Python scripts to bypass security warnings and execute automatically. The vulnerability was first rumored on online forums and was related to a typo in source code, which misidentified file extensions. Attackers could disguise Python script files as video files, tricking users into launching them unknowingly. Telegram implemented a server-side fix by appending an ".untrusted" extension to the questionable file types, prompting a manual selection by Windows on how to open the file. Less than 0.01% of Telegram's user base was potentially affected, as exploitation required the Python interpreter to be installed. The security concern did not represent a zero-click vulnerability since user interaction was needed to trigger the script. Telegram plans to integrate a corrected security warning message in future updates of the app to improve user safety against such vulnerabilities.

Google is discontinuing its VPN for Google One service due to low demand, planning a complete shutdown later this year. The VPN will remain operational exclusively for Pixel 7 and newer phone models, adhering to a previous promise by Google to provide the service for at least five years. Google One subscribers were informed via email about the pending discontinuation of the VPN service, which is part of a broader adjustment strategy taking effect by May 15. Initially introduced in October 2020, the VPN was only available with Google One's highest-priced plan but expanded to the basic plan a year later to encourage broader usage. Despite the expansion, utilization remained low, leading Google to prioritize more popular features within the Google One subscription, focusing on enhancing cloud storage and other in-demand services. There are yet no updates on the Google One website indicating the removal of the VPN feature, and it is still listed as a benefit for all plans. This change adds to a long history of Google discontinuing services, marking the end of a 197-day streak without canceling products.

The FBI issued a warning about an extensive SMS phishing operation targeting U.S. citizens with fake unpaid road toll notifications. This phishing wave began last month, and has already impacted thousands, based on over 2,000 complaints lodged with the FBI's Internet Crime Complaint Center (IC3). Scammers are sending texts claiming recipients owe money for road tolls, using consistent language like "outstanding toll amount" across different states. The fraudulent messages include a hyperlink that mimics state toll services, but the URLs and phone numbers are altered to deceive victims into providing personal information. Pennsylvania Turnpike warned its customers against clicking on links in similar phishing texts, underscoring the growing concern among state agencies. The FBI has noted the geographic spread of this scam, moving from state to state, with some areas yet to report incidents. Federal authorities are urging those who receive these phishing texts to immediately report them and avoid clicking on any included links.

Telegram fixed a zero-day vulnerability in its Windows desktop app, caused by a typo in the handling of file extensions. The vulnerability allowed Python scripts disguised as videos to bypass security warnings, automatically executing harmful code upon user interaction. While initial reports suggested a zero-click flaw, Telegram confirmed that the issue required user interaction and affected a very small user base. A proof of concept was posted on the XSS hacking forum, clearly demonstrating the exploit using a modified file extension to execute Python scripts automatically. Telegram implemented a server-side fix, appending the ".untrusted" extension to suspect files, mitigating the risk without needing an immediate software update. It is estimated that less than 0.01% of Telegram users were susceptible to the exploit due to having specific conditions, such as the Python interpreter installed. BleepingComputer and cybersecurity researchers tested and confirmed the exploit's mechanics and Telegram's prompt response with a fix.

Ex-Amazon security engineer Shakeeb Ahmed sentenced to three years for hacking two cryptocurrency exchanges and stealing over $12 million. Convicted on one count of computer fraud, Ahmed received three years of supervised release and was ordered to forfeit $12.3 million and pay restitution. Ahmed exploited a smart contract and blockchain flaws to execute fraudulent transactions, earning millions from inflated fees and manipulated crypto asset prices. He used sophisticated cryptocurrency mixers and conducted transactions across multiple blockchains to obscure the stolen funds. Despite a bounty offered by Nirvana Finance to recover stolen assets, Ahmed refused to return the funds, resulting in substantial losses for the exchange. Ahmed investigated methods to evade detection and extradition, including seeking citizenship in other countries and obstructing asset seizures.

Roku reported 576,000 user accounts were compromised in recent credential stuffing attacks, in addition to 15,000 affected earlier. Threat actors used credentials stolen from other sites to access Roku accounts, enabling unauthorized streaming and hardware purchases. These credentials were tested against Roku accounts using automated tools; accounts with reused passwords were particularly vulnerable. Though payment data was not fully accessed, in fewer instances, attackers made unauthorized purchases using stored payment methods. Roku has since reset passwords for affected accounts, initiated direct notifications to impacted users, and refunded unauthorized transactions. To enhance security, Roku has now enabled two-factor authentication (2FA) by default for all accounts and urges users to select strong, unique passwords. Despite the scale of the attack, Roku confirmed their systems were not compromised nor were the source of the stolen credentials.

A backdoor was embedded into a popular Rust library liblzma-sys, affecting version 0.3.2. Phylum identified the malicious "test files" in liblzma-sys on crates.io, leading to its removal in version 0.3.3. Malicious commits by GitHub user JiaT75 facilitated unauthorized SSH access to execute code remotely. Kaspersky detailed a multi-stage malware operation involving specific malicious commits between versions 5.6.0 and 5.6.1 of XZ Utils. The intended purpose of the malware was to manipulate the Secure Shell Daemon (sshd) and permit remote code execution by attackers. Early detection and remediation prevented a broader compromise of the Linux ecosystem. The incident highlights a trend of targeted social engineering attacks aiming to infiltrate open-source software repositories.

Russian state-sponsored actors, known as Midnight Blizzard or Cozy Bear, infiltrated Microsoft’s email systems and exfiltrated sensitive data including emails and authentication details. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive ED 24-02, compelling federal agencies to review compromised emails, reset credentials, and secure authentication tools. Affected federal agencies must provide status updates on their remediation efforts, with initial reports due by April 8 and a comprehensive update by May 1, followed by weekly reports. Microsoft has agreed to supply metadata about the exfiltrated emails, which include credentials, to CISA, and respond to further requests from the National Cyber Investigative Joint Task Force. Microsoft reported a significant increase in intrusion attempts by Midnight Blizzard in February 2024, indicating an escalation in the group’s activities. Criticism has been leveled at Microsoft for its security practices and handling of the breach, with concerns about the potential implications for both national security and its commercial clients. The incident continues to affect Microsoft’s reputation, with ongoing scrutiny about their disclosure and security incident handling policies.

Palo Alto Networks has issued a warning about a zero-day vulnerability in its PAN-OS firewall software, actively exploited in the wild. The vulnerability, indexed as CVE-2024-3400, is a severe command injection flaw that allows unauthenticated attackers to execute arbitrary code with root privileges. This flaw affects specific versions of PAN-OS (10.2, 11.0, and 11.1) when both the GlobalProtect gateway and device telemetry features are enabled. The vulnerability has a maximum severity score of 10.0 due to its ability to be exploited without special privileges or user interaction. Remedial actions include implementing mitigations proposed by Palo Alto Networks until security updates are available, with hotfixes expected to release by April 14, 2024. Approximately 82,000 devices could be vulnerable to this exploit, with around 40% located in the United States. Non-affected Palo Alto Network products include Cloud NGFW, Panorama appliances, and Prisma Access.

Non-human identities, such as those used by microservices, are essential for API calls and system interactions. These identities are vulnerable to cyber threats, which could lead to stolen secrets, data tampering, or complete system shutdown. A comprehensive security suite is essential to manage and protect non-human identities and secrets at scale. Features needed include centralized governance, real-time monitoring, and comprehensive visibility of all machine identities. Effective management involves differentiating between genuine threats and false positives to focus on real vulnerabilities. The security solution should provide actionable steps for immediate issue resolution and ensure seamless collaboration between security and development teams. Entro's non-human identity management solution offers tools and insights to safeguard these digital assets effectively.

Iranian threat actor MuddyWater has adopted a new C2 framework called DarkBeatC2, expanding its arsenal of cyberattack tools. MuddyWater, also known as Boggy Serpens and TA450, is linked to Iran's Ministry of Intelligence and Security and has been active since 2017. Recent attacks have involved spear-phishing campaigns using compromised email accounts to distribute malicious links and attachments. One spear-phishing effort targeted an educational institution in Israel via a compromised web link, potentially facilitated by earlier breaches carried out by Lord Nemesis. The DarkBeatC2 infrastructure manages infected endpoints using PowerShell, establishing persistence on compromised systems. Palo Alto Networks Unit 42 identified abuse of the Windows Registry AutodialDLL function to load malicious DLLs and connect with the DarkBeatC2 server. Attacks notably rely on the manipulation of system processes and registries to maintain a foothold and control over compromised devices. The ongoing campaign reflects a collaboration between Iranian military and intelligence entities to maximize damage to Israeli targets.

Palo Alto Networks issued a warning about a critical flaw (CVE-2024-3400) in its PAN-OS software, receiving a maximum severity score of 10.0. The vulnerability lies in the GlobalProtect gateways, enabling unauthenticated attackers to execute arbitrary code with root privileges. This flaw only affects specific PAN-OS versions and configurations involving the GlobalProtect gateway and device telemetry features. Fixes for the impacted versions are planned for release on April 14, 2024. Volexity discovered and reported the vulnerability; however, details on the attack methods remain undisclosed. Palo Alto Networks noted a limited number of attacks exploiting this vulnerability and advises customers with Threat Prevention subscriptions to enable Threat ID 95187 for protection. Recent trends show Chinese threat actors exploiting similar zero-day flaws in products from Barracuda Networks, Fortinet, Ivanti, and VMware for targeted attacks and persistent access.

Multiple French municipal governments, including Saint-Nazaire, are experiencing severe service disruptions due to a large-scale cyber attack on shared servers. The origins and duration of the cyber attack are currently unknown, with updates being provided via social media and governmental websites. The cyber attack has affected a number of cities and organizations, disrupting essential services across various municipalities. This cyber disturbance follows a recent DDoS attack, claimed by Anonymous Sudan, which targeted French government websites without disrupting services. Concurrently, France Travail disclosed a significant data breach, compromising personal data of approximately 43 million citizens. Additional data breaches in the past month have exposed over 33 million people’s data through attacks on third-party healthcare and insurance payment providers. The timing of these cyber events is particularly sensitive as France prepares for the upcoming Summer Olympics, heightening concerns about potential cyber threats. French cyber security officials are actively consulting with U.S. counterparts to strategize on protecting the Olympics and other critical infrastructure from expected cyber attacks.