Critical CVSS 10 vulnerability in PAN-OS sparks urgent action

In the latest cybersecurity landscape, the past week brought a flurry of significant threats and vulnerabilities across various platforms. These included Microsoft’s Patch Tuesday addressing 150 security flaws with two exploited zero-days, Palo Alto Networks urgently responding to a critical command injection vulnerability in PAN-OS software, a breach compromising SMS MFA logs for Cisco Duo, exploitation of critical vulnerabilities in Atlassian Confluence servers, and the emergence of the ‘Kapeka’ backdoor attributed to the Russia-associated APT group Sandworm. These diverse threats emphasize the need for robust security measures and constant vigilance in the face of evolving cyber risks.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft April 2024 Patch Tuesday fixes 150 security flaws

April 2024’s Patch Tuesday from Microsoft delivered a crucial update addressing 150 security vulnerabilities across various products, including fixes for 2 Zero-Day vulnerabilities. The release notably tackled 67 remote code execution (RCE) vulnerabilities, underlining their critical nature. Among the vulnerabilities, CVE-2024-26234, a proxy driver spoofing vulnerability, stood out, with a malicious driver exploiting a valid Microsoft Hardware Publisher Certificate.

Another significant fix was CVE-2024-29988, a SmartScreen prompt security feature bypass vulnerability. Additionally, three critical vulnerabilities were resolved in Microsoft Defender for IoT, emphasizing the importance of promptly applying security patches and educating users about potential threats like phishing attacks.

2. Palo Alto Networks issues urgent patches for exploited PAN-OS vulnerability

Palo Alto Networks has issued hotfixes addressing a critical command injection vulnerability (CVE-2024-3400) with CVSSv3 Score 10 in PAN-OS software’s GlobalProtect feature, exploited by threat actors to execute code with root privileges. Tracked by Palo Alto Networks Unit 42, the flaw allows unauthenticated attackers to deploy backdoors and conduct reconnaissance activities.

Volexity attributes the exploitation to the UTA0218 cluster, deploying the UPSTYLE Python backdoor on firewalls since at least March 26, 2024, with evidence suggesting widespread reconnaissance efforts. Affected PAN-OS versions include 10.2, 11.0, and 11.1, with GlobalProtect gateway or portal configurations and device telemetry enabled. The solution is to apply hotfixes PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3 immediately, with additional maintenance releases expected to receive patches soon.

3. Cisco Duo issues warning on third-party data breach exposing SMS MFA logs

A social engineering cyberattacks on Cisco Duo’s telephony provider compromised VoIP and SMS logs used for multi-factor authentication (MFA) messages between March 1, 2024, and March 31, 2024. Threat actors obtained an employee’s credentials through phishing, leading to the security breach on April 1, 2024. While the stolen logs lack message contents, they contain metadata like phone numbers and timestamps, posing a risk for targeted phishing attacks to access sensitive information.

Cisco is collaborating with the provider to investigate and has implemented additional security measures. They have provided compromised message logs to affected customers upon request to aid in understanding the breach’s extent. Cisco advises impacted customers to remain vigilant against potential SMS phishing or social engineering attacks and recommends conducting phishing awareness training for employees while deploying and maintaining robust endpoint security solutions.

4. Exploitation of critical Atlassian vulnerability used to distribute Cerber ransomware

Threat actors are leveraging CVE-2023-22518, a critical vulnerability in Atlassian Confluence servers, to deploy Cerber ransomware by exploiting unpatched systems. After gaining unauthorized access by creating a new admin account, attackers install a web shell plugin, Effluence, enabling arbitrary command execution. Cerber ransomware, written in C++, acts as a loader for additional malware payloads retrieved from a command-and-control server, encrypting files with a “.L0CK3D” extension and dropping ransom notes for extortion.

While no data exfiltration occurs, the primary objective is encrypting files and extorting ransom payments. Mitigation involves promptly applying patches, enforcing strict access controls, utilizing application whitelisting, employing reputable antivirus software, maintaining secure backups, and reducing unnecessary attack surfaces.

5. ‘Kapeka’ backdoor detected in Eastern European cyberattack

A new type of adaptive backdoor named Kapeka, attributed to the Russia-associated APT group Sandworm, has been detected in cyberattacks targeting Eastern European countries since mid-2022. Kapeka is a sophisticated tool designed for various malicious purposes. It installs a backdoor component on compromised hosts, establishing long-term access through scheduled tasks or autorun entries in the Windows registry. Capable of performing tasks like stealing credentials, executing destructive actions, and enabling remote access, Kapeka disguises itself as a Microsoft Word add-in while communicating with its command-and-control server using JSON over WinHttp 5.1 COM interface.

Its propagation method involves compromised websites and the certutil utility, emphasizing the use of legitimate tools for malicious activities. Kapeka is speculated to be a successor to GreyEnergy, indicating ongoing APT-level activities likely originating from Russia. Mitigation strategies include enhancing endpoint security, monitoring network traffic, segmenting network access, and employing application whitelisting.