WME Security Briefing 28 November 2024

WME Cybersecurity Briefings No. 036

Palo Alto Networks Warns of Potential RCE Vulnerability in PAN-OS Management Interface

Overview

Palo Alto Network has disclosed a potential RCE vulnerability in the PAN-OS management interface. Information is still scarce on this particular vulnerability, but we are monitoring it closely to see if someone demonstrates otherwise.

PAN-OS is a core part of network management and security, so this potential vulnerability is of critical importance for users who rely on its secure configuration.

Impact

According to Palo Alto Networks, the bug could be exploited to allow remote attackers to execute arbitrary code via the PAN-OS management interface. This could even escalate to the management interface, which controls the rules and settings of the network.

Although there’s no indication that this network management interface is being exploited by other parties, Palo Alto warns the attack surface has been highly increased and the network is at risk of manipulation.

The event’s urgency was noted in recent advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as well. They also found additional threats in products of Palo Alto Networks,  for example, the Expedition migration tool vulnerability CVE-2024-5910. Under the right circumstances, it could be used to carry out admin account takeovers.

Recommendation

Considerations for Administrators…

Best practice for securing the PAN-OS management interface and limiting access to trusted internal IPs.

Isolation of Management: The management interface should be isolated onto a separate management VLAN and management access should only be granted from secure internal, authorized networks.

Use Jump Servers: Jump servers can be used to provide layers to the access control process, with only trusted devices given access to the management interface.

Enable Secure Connections: Limit connection protocols across the interface to secure ones (i.e. SSH, HTTPS, etc.)

Avoid Exposing Vulnerability: Block common internet access for the management interface.

Once these configurations have been made, organizations can limit their attack surface and protect themselves from rogue RCE threats. We continue to monitor for additional changes and urge all PAN-OS system users to secure their configurations.

Bitcoin Fog Founder Sentenced to 12 Years for Facilitating Cryptocurrency Money Laundering

Overview

U.S. Department of Justice (DoJ) sentenced Bitcoin Fog founder Roman Sterlingov, aged 36, to 12 years and a half in prison. Russian-Swedish national Sterlingov admitted to several charges of money laundering and operating an unlicensed money laundering business. Bitcoin Fog is often referred to as the darknet’s longest-running cryptocurrency mixer for millions of cybercriminals around the world, obscuring the origin of their digital assets.

Impact

According to the DoJ, Bitcoin Fog handled more than 1.2 million transactions and was valued at roughly $400 million (USD) from 2011 to 2021. Criminals used the platform as a means to launder profits from illicit activities like drug distribution, identity theft, and child sexual exploitation material carried out on darknet markets.

Sterlingov held the keys to help countless packets of unlawful money escape law enforcement pursuers, adding fuel to an invisible and traceless monetary stream associated with large-scale hacking activity. That said, Sterlingov was compelled to surrender Bitcoin Fog’s significant assets, specifically $395+ million worth of seized cryptocurrencies and 1300+ bitcoins stored in the Fog wallet.

Recommendation

Regulators should carefully examine cryptocurrency transactions. The event illustrates the importance of exchanges regulating their business transparently and enforcing anti-money laundering (AML) compliance. Stricter measures could minimize such operations by requiring more scrutiny of transactions on risky platforms.

Expansion of AndroxGh0st Malware with Mozi Botnet Targets IoT and Cloud Environments

Overview

According to a recent report, the AndroxGh0st malware, which has long established itself as a zero-day exploiter of cloud applications and a persistent threat in the cyber-security landscape, is now using Mozi botnet malware to broaden its networks. AndroxGh0st emerged in 2022 and is typically centered on targeting Laravel and other applications to extract sensitive information concerning AWS, SendGrid, and Twilio tickets. A recent integration with the Mozi botnet has expanded its reach, allowing AndroxGh0st to take advantage of Mozi’s ability to spread itself on large populations of IoT devices and critical cloud infrastructure.

Impact

The AndroxGh0st-Mozi combo has evolved into an increasingly powerful attack vector that takes advantage of a wide variety of disparate vulnerabilities across numerous different platforms. Furthermore, AndroxGh0st has begun to target applications with known vulnerabilities i.e. Cisco ASA WebVPN (CVE-2014-2120), Dasan GPON routers (CVE-2018-10561), and Sophos Firewall (CVE-2022–1040).

Leveraging credential-harvesting techniques and unauthenticated command execution, the malware penetrates sensitive systems, acquires elevated permissions, and persists in the invaded networks.

The collaborative design crystalizes AndroxGh0st’s features by utilizing Mozi’s propagation and infection methods. This combination makes the botnet more impactful and helps spread the DDoS attack over a large number of devices. The common command infrastructure used by AndroxGh0st and Mozi hints at a well-orchestrated operation, possibly a clear proof that the same cybercriminal group is behind both.

Recommendation

WME recommends admins take the following actions to mitigate the risks arising from AndroxGh0st and Mozi botnet collaborative malicious actions:

Update Software & Firmware: All software applications and IoT devices should be updated to counter known vulnerabilities. The efforts should include the patching of vulnerabilities found in Cisco ASA, Dasan GPON, Sophos Firewall, and other compromised systems.

Implement Network Segmentation: Keep IoT devices and operational assets on separate network segments to prevent the spread of malware to critical infrastructure.

Inspect Network Behavior: Log network activity (e.g. abnormal access to /wp-admin/ URL & command injection, which is fairly common). Use intrusion detection and prevention systems to detect unauthorized access attempts.

Targeted Cyber Espionage Against Indian Organizations Using Cloud-Based Tools

Overview

Recently, high-profile Indian organizations were on the radar of a Southasia-based cyber-espionage group, Transparent Tribe, and a newly identified Chinese threat actor IcePeony. These attackers focused on cloud-based services for sophisticated intrusions that affected systems in government, academic, and political sectors in recent years. These threat actors have a wide range of tools/techniques that allow them to hijack victim systems to exfiltrate data while remaining undetected.

Impact

Transparent Tribe’s main tool in this operation is a RAT (remote access trojan) called ElizaRAT that gives its operator the ability to connect to any compromised devices remotely. ElizaRAT uses popular cloud services, including Google Drive and Slack, to communicate with the attackers, making it harder to detect. This way, malicious traffic blends in with normal network activity and becomes less conspicuous.

They leverage ApoloStealer, a data-stealing malware that steals different types of files (e.g., DOC, XLS, PPT) from the infected systems. By comparison, the IcePeony group primarily operates against government and academic targets in India, Mauritius, and Vietnam, which are associated with China. They leverage SQL injection methods, web shells, and a self-developed backdoor named IceEvent, through which they can transfer files to and from the target as well as execute commands remotely. Both groups utilize commonly accepted cloud platforms, making detection much more challenging as they can easily disguise themselves as normal system operations.

Recommendation

Organizations in the targeted sectors should take the following actions…

Audit systems for open vulnerabilities, such as SQL injection holes and insecure SSH configurations. Also, track cloud services that they frequently use i.e. Google Drive and Slack, and detect any suspicious or unauthorized access behavior.

All systems reachable via the Internet, especially web apps and servers (inbound-facing), should be patched ASAP to reduce exposure to critical vulnerabilities. Lastly, employ strong access controls and monitor systems regularly for anomalous behaviour, typical of RATs and data-exfiltration activity.

Malicious NPM Packages Target Roblox Community with Data-Stealing Malware

Overview

Researchers have uncovered a new wave of attacks targeting Roblox users through the npm package repository. Threat actors are injecting malicious JS libraries into the open-source ecosystem. The packages mentioned below can install information-stealing malware like Skuld and Blank Grabber as they target users and developers in the Roblox community.

The incident illustrates how effortlessly the attackers exploited reliance on these open-source repos to execute supply chain attacks. Malware authors take advantage of well-known names to break all the protection, making open-source malware and then publicly using portals like GitHub for malware roaming and utilizing social communication portals for command and control (C2) based operations using Discord and Telegram.

Impact

Among the malicious packages identified are:

  • node-dlls
  • dll
  • autoadv
  • rolimons-api

These names are similar to real npm packages. Essentially, they entice developers to download malicious code masked as trusted resources. e.g. “node-dlls” tries to copy the correct “node-dll” package. It provides doubly linked list functions for JavaScript. Similarly, “rolimons-api” impersonated an API for a popular Roblox analytics site.

Once installed, the malicious packages run obfuscated code that drops and installs Skuld and Blank Grabber malware for info-gathering and exfiltration. Once the data is harvested, it is sent to the attackers using webhooks on Discord or Telegram, leaving an open backdoor for future exploitation.

Recommendation

To protect themselves from these malicious npm packages, developers should follow these precautions…

Validate Package Name: Be suspicious of package names. You want to steer clear of typosquatting victimization. Typosquatted packages typically share similar names with known libraries as well as possibly include malware embedded within.

Verify Source Code: If you’re dealing with an open-source library that has little or sketchy documentation, be sure not to install packages without first taking a look at the source code.

As dependencies become ever more open source, cyberattacks are also changing. As a result, being security conscious has become even more paramount.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

WME Cybersecurity Briefings No. 034
Cyber Security

WME Security Briefing 18 November 2024

New LightSpy Spyware Variant Poses Increased Threat to iPhone Users Overview Recent analysis reveals an enhanced version of the iOS spyware, LightSpy. It targets iPhones with advanced surveillance features and destructive capabilities. Basically, detected for the first time

Click Here to Read Full Article »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=