Security Spotlight: Navigating the Cybersecurity Landscape and Illuminating the Dark Corners of the Web
Palo Alto Networks Warns of Potential RCE Vulnerability in PAN-OS Management Interface
Overview
Palo Alto Network has disclosed a potential RCE vulnerability in the PAN-OS management interface. Information is still scarce on this particular vulnerability, but we are monitoring it closely to see if someone demonstrates otherwise.
PAN-OS is a core part of network management and security, so this potential vulnerability is of critical importance for users who rely on its secure configuration.
Impact
According to Palo Alto Networks, the bug could be exploited to allow remote attackers to execute arbitrary code via the PAN-OS management interface. This could even escalate to the management interface, which controls the rules and settings of the network.
Although there’s no indication that this network management interface is being exploited by other parties, Palo Alto warns the attack surface has been highly increased and the network is at risk of manipulation.
The event’s urgency was noted in recent advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as well. They also found additional threats in products of Palo Alto Networks, for example, the Expedition migration tool vulnerability CVE-2024-5910. Under the right circumstances, it could be used to carry out admin account takeovers.
Recommendation
Considerations for Administrators…
Best practice for securing the PAN-OS management interface and limiting access to trusted internal IPs.
Isolation of Management: The management interface should be isolated onto a separate management VLAN and management access should only be granted from secure internal, authorized networks.
Use Jump Servers: Jump servers can be used to provide layers to the access control process, with only trusted devices given access to the management interface.
Enable Secure Connections: Limit connection protocols across the interface to secure ones (i.e. SSH, HTTPS, etc.)
Avoid Exposing Vulnerability: Block common internet access for the management interface.
Once these configurations have been made, organizations can limit their attack surface and protect themselves from rogue RCE threats. We continue to monitor for additional changes and urge all PAN-OS system users to secure their configurations.
Bitcoin Fog Founder Sentenced to 12 Years for Facilitating Cryptocurrency Money Laundering
Overview
U.S. Department of Justice (DoJ) sentenced Bitcoin Fog founder Roman Sterlingov, aged 36, to 12 years and a half in prison. Russian-Swedish national Sterlingov admitted to several charges of money laundering and operating an unlicensed money laundering business. Bitcoin Fog is often referred to as the darknet’s longest-running cryptocurrency mixer for millions of cybercriminals around the world, obscuring the origin of their digital assets.
Impact
According to the DoJ, Bitcoin Fog handled more than 1.2 million transactions and was valued at roughly $400 million (USD) from 2011 to 2021. Criminals used the platform as a means to launder profits from illicit activities like drug distribution, identity theft, and child sexual exploitation material carried out on darknet markets.
Sterlingov held the keys to help countless packets of unlawful money escape law enforcement pursuers, adding fuel to an invisible and traceless monetary stream associated with large-scale hacking activity. That said, Sterlingov was compelled to surrender Bitcoin Fog’s significant assets, specifically $395+ million worth of seized cryptocurrencies and 1300+ bitcoins stored in the Fog wallet.
Recommendation
Regulators should carefully examine cryptocurrency transactions. The event illustrates the importance of exchanges regulating their business transparently and enforcing anti-money laundering (AML) compliance. Stricter measures could minimize such operations by requiring more scrutiny of transactions on risky platforms.
Expansion of AndroxGh0st Malware with Mozi Botnet Targets IoT and Cloud Environments
Overview
According to a recent report, the AndroxGh0st malware, which has long established itself as a zero-day exploiter of cloud applications and a persistent threat in the cyber-security landscape, is now using Mozi botnet malware to broaden its networks. AndroxGh0st emerged in 2022 and is typically centered on targeting Laravel and other applications to extract sensitive information concerning AWS, SendGrid, and Twilio tickets. A recent integration with the Mozi botnet has expanded its reach, allowing AndroxGh0st to take advantage of Mozi’s ability to spread itself on large populations of IoT devices and critical cloud infrastructure.
Impact
The AndroxGh0st-Mozi combo has evolved into an increasingly powerful attack vector that takes advantage of a wide variety of disparate vulnerabilities across numerous different platforms. Furthermore, AndroxGh0st has begun to target applications with known vulnerabilities i.e. Cisco ASA WebVPN (CVE-2014-2120), Dasan GPON routers (CVE-2018-10561), and Sophos Firewall (CVE-2022–1040).
Leveraging credential-harvesting techniques and unauthenticated command execution, the malware penetrates sensitive systems, acquires elevated permissions, and persists in the invaded networks.
The collaborative design crystalizes AndroxGh0st’s features by utilizing Mozi’s propagation and infection methods. This combination makes the botnet more impactful and helps spread the DDoS attack over a large number of devices. The common command infrastructure used by AndroxGh0st and Mozi hints at a well-orchestrated operation, possibly a clear proof that the same cybercriminal group is behind both.
Recommendation
WME recommends admins take the following actions to mitigate the risks arising from AndroxGh0st and Mozi botnet collaborative malicious actions:
Update Software & Firmware: All software applications and IoT devices should be updated to counter known vulnerabilities. The efforts should include the patching of vulnerabilities found in Cisco ASA, Dasan GPON, Sophos Firewall, and other compromised systems.
Implement Network Segmentation: Keep IoT devices and operational assets on separate network segments to prevent the spread of malware to critical infrastructure.
Inspect Network Behavior: Log network activity (e.g. abnormal access to /wp-admin/ URL & command injection, which is fairly common). Use intrusion detection and prevention systems to detect unauthorized access attempts.
Targeted Cyber Espionage Against Indian Organizations Using Cloud-Based Tools
Overview
Recently, high-profile Indian organizations were on the radar of a Southasia-based cyber-espionage group, Transparent Tribe, and a newly identified Chinese threat actor IcePeony. These attackers focused on cloud-based services for sophisticated intrusions that affected systems in government, academic, and political sectors in recent years. These threat actors have a wide range of tools/techniques that allow them to hijack victim systems to exfiltrate data while remaining undetected.
Impact
Transparent Tribe’s main tool in this operation is a RAT (remote access trojan) called ElizaRAT that gives its operator the ability to connect to any compromised devices remotely. ElizaRAT uses popular cloud services, including Google Drive and Slack, to communicate with the attackers, making it harder to detect. This way, malicious traffic blends in with normal network activity and becomes less conspicuous.
They leverage ApoloStealer, a data-stealing malware that steals different types of files (e.g., DOC, XLS, PPT) from the infected systems. By comparison, the IcePeony group primarily operates against government and academic targets in India, Mauritius, and Vietnam, which are associated with China. They leverage SQL injection methods, web shells, and a self-developed backdoor named IceEvent, through which they can transfer files to and from the target as well as execute commands remotely. Both groups utilize commonly accepted cloud platforms, making detection much more challenging as they can easily disguise themselves as normal system operations.
Recommendation
Organizations in the targeted sectors should take the following actions…
Audit systems for open vulnerabilities, such as SQL injection holes and insecure SSH configurations. Also, track cloud services that they frequently use i.e. Google Drive and Slack, and detect any suspicious or unauthorized access behavior.
All systems reachable via the Internet, especially web apps and servers (inbound-facing), should be patched ASAP to reduce exposure to critical vulnerabilities. Lastly, employ strong access controls and monitor systems regularly for anomalous behaviour, typical of RATs and data-exfiltration activity.
Malicious NPM Packages Target Roblox Community with Data-Stealing Malware
Overview
Researchers have uncovered a new wave of attacks targeting Roblox users through the npm package repository. Threat actors are injecting malicious JS libraries into the open-source ecosystem. The packages mentioned below can install information-stealing malware like Skuld and Blank Grabber as they target users and developers in the Roblox community.
The incident illustrates how effortlessly the attackers exploited reliance on these open-source repos to execute supply chain attacks. Malware authors take advantage of well-known names to break all the protection, making open-source malware and then publicly using portals like GitHub for malware roaming and utilizing social communication portals for command and control (C2) based operations using Discord and Telegram.
Impact
Among the malicious packages identified are:
- node-dlls
- dll
- autoadv
- rolimons-api
These names are similar to real npm packages. Essentially, they entice developers to download malicious code masked as trusted resources. e.g. “node-dlls” tries to copy the correct “node-dll” package. It provides doubly linked list functions for JavaScript. Similarly, “rolimons-api” impersonated an API for a popular Roblox analytics site.
Once installed, the malicious packages run obfuscated code that drops and installs Skuld and Blank Grabber malware for info-gathering and exfiltration. Once the data is harvested, it is sent to the attackers using webhooks on Discord or Telegram, leaving an open backdoor for future exploitation.
Recommendation
To protect themselves from these malicious npm packages, developers should follow these precautions…
Validate Package Name: Be suspicious of package names. You want to steer clear of typosquatting victimization. Typosquatted packages typically share similar names with known libraries as well as possibly include malware embedded within.
Verify Source Code: If you’re dealing with an open-source library that has little or sketchy documentation, be sure not to install packages without first taking a look at the source code.
As dependencies become ever more open source, cyberattacks are also changing. As a result, being security conscious has become even more paramount.
Windows Management Experts
Now A Microsoft Solutions Partner for:
- Data & AI
- Digital and App Innovation
- Infrastructure
- Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
Why not reach out to us at WME?
Contact us and let us transform your business’s security into a strategic advantage for your business. Be sure, with WME, you’re just beginning a path toward a more streamlined and secure future.
WME Cybersecurity Briefings 036
