Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign
As many as 2,000 Palo Alto Networks devices are estimated to have been compromised as part of a campaign abusing the newly disclosed security flaws that have come under active exploitation in the wild.
According to statistics shared by the Shadowserver Foundation, a majority of the infections have been reported in the U.S. (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35).
Earlier this week, Censys revealed that it had identified 13,324 publicly exposed next-generation firewall (NGFW) management interfaces, with 34% of these exposures located in the U.S. However, it’s important to note that not all of these exposed hosts are necessarily vulnerable.
The flaws in question, CVE-2024-0012 (CVSS score: 9.3) and CVE-2024-9474 (CVSS score: 6.9), are a combination of authentication bypass and privilege escalation that could allow a bad actor to perform malicious actions, including modifying configurations and executing arbitrary code.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2024/11/warning-over-2000-palo-alto-networks.html
Link: https://www.securityweek.com/palo-alto-patches-firewall-zero-day-exploited-in-operation-lunar-peek/
Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities
Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild.
The flaws are listed below –
- CVE-2024-44308 (CVSS score: 8.8) – A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content
- CVE-2024-44309 (CVSS score: 6.1) – A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content
The iPhone maker said it addressed CVE-2024-44308 and CVE-2024-44309 with improved checks and improved state management, respectively.
Not much is known about the exact nature of the exploitation, but Apple has acknowledged that the pair of vulnerabilities „may have been actively exploited on Intel-based Mac systems.“
Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the two flaws, indicating that they were likely put to use as part of highly-targeted government-backed or mercenary spyware attacks.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / SANS internet storm center
Link: https://thehackernews.com/2024/11/apple-releases-urgent-updates-to-patch.html
Link: https://www.darkreading.com/cyberattacks-data-breaches/apple-patches-actively-exploited-zero-days
Link: https://www.securityweek.com/apple-confirms-zero-day-attacks-hitting-intel-based-macs/
Link: https://isc.sans.edu/diary/Apple%20Fixes%20Two%20Exploited%20Vulnerabilities/31452
Oracle Warns of Agile PLM Vulnerability Currently Under Active Exploitation
Oracle is warning that a high-severity security flaw impacting the Agile Product Lifecycle Management (PLM) Framework has been exploited in the wild.
The vulnerability, tracked as CVE-2024-21287 (CVSS score: 7.5), could be exploited sans authentication to leak sensitive information.
„This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,“ it said in an advisory. „If successfully exploited, this vulnerability may result in file disclosure.“
CrowdStrike security researchers Joel Snape and Lutz Wolf have been credited with discovering and reporting the flaw.
There is currently no information available on who is exploiting the vulnerability, the targets of the malicious activity, and how widespread these attacks are.
„If successfully exploited, an unauthenticated perpetrator could download, from the targeted system, files accessible under the privileges used by the PLM application,“ Eric Maurice, vice president of Security Assurance at Oracle, said.
Source: The hacker news / Bleeping computer / Securityweek / Oracle security alert advisory
Link: https://thehackernews.com/2024/11/oracle-warns-of-agile-plm-vulnerability.html
Link: https://www.securityweek.com/oracle-patches-exploited-agile-plm-zero-day/
Linik: https://www.oracle.com/security-alerts/alert-cve-2024-21287.html
Over 145,000 Industrial Control Systems Across 175 Countries Found Exposed Online
New research has uncovered more than 145,000 internet-exposed Industrial Control Systems (ICS) across 175 countries, with the U.S. alone accounting for over one-third of the total exposures.
The analysis, which comes from attack surface management company Censys, found that 38% of the devices are located in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America, and 0.5% in Africa.
The countries with the most ICS service exposures include the U.S. (more than 48,000), Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, the U.K., Japan, Sweden, Taiwan, Poland, and Lithuania.
The metrics are derived from the exposure of several commonly-used ICS protocols like Modbus, IEC 60870-5-104, CODESYS, OPC UA, and others.
One important aspect that stands out is that the attack surfaces are regionally unique: Modbus, S7, and IEC 60870-5-104 are more widely observed in Europe, while Fox, BACnet, ATG, and C-more are more commonly found in North America. Some ICS services that are used in both regions include EIP, FINS, and WDBRPC.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2024/11/over-145000-industrial-control-systems.html
Malicious QR Codes: How big of a problem is it, really?
QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Cisco Talos’ data, roughly 60% of all email containing a QR code is spam.
Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. Users could obscure the data modules, the black and white squares within the QR code that represent the encoded data. Alternatively, users could remove one or more of the position detection patterns — large square boxes located in corners of the QR code used to initially identify the code’s orientation and position.
Further complicating detection, both by users and anti-spam filters, Talos found QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/malicious_qr_codes/
What does resilience in the cyber world look like in 2025 and beyond?
Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term “resilience” can be difficult to define, and when we define it, we may limit its scope, missing the big picture.
In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant demands on incident response teams, resilience (and, in a narrower scope, cyber resilience) will require significant attention due to the complexity of our systems.
We achieve this by “working outside of our little sandbox” and reducing the fragility that comes with complex systems.
Source: IBM security intelligence
Link: https://securityintelligence.com/articles/what-does-cyber-resilience-looks-like-in-2025-and-beyond/