exploited Archives - Times Wonderful News

Major Palo Alto security flaw is being exploited via Python zero-day backdoor

[ad_1]

For weeks now, unidentified threat actors have been leveraging a critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software, running arbitrary code on vulnerable firewalls, with root privilege.

Multiple security researchers have flagged the campaign, including Palo Alto Networks’ own Unit 42, noting a single threat actor group has been abusing a vulnerability called command injection, since at least March 26 2024.

This vulnerability is now tracked as CVE-2024-3400, and carries a maximum severity score (10.0). The campaign, dubbed MidnightEclipse, targeted PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled, since these are the only vulnerable endpoints.

Highly capable threat actor

The attackers have been using the vulnerability to drop a Python-based backdoor on the firewall which Volexity, a separate threat actor that observed the campaign in the wild, dubbed UPSTYLE. While the motives behind the campaign are subject to speculation, the researchers believe the endgame here is to extract sensitive data. The researchers don’t know exactly how many victims there are, nor who the attackers primarily target. The threat actors have been given the moniker UTA0218 for now.

“The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives,” the researchers said. “UTA0218’s initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users’ DPAPI keys.”

In its writeup, The Hacker News reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a deadline of April 19 to apply the patch and otherwise mitigate the threat.

“Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities,” Volexity said.

“It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.”

More from TechRadar Pro

[ad_2]

Source Article Link

Ray framework flaw exploited for hackers to breach servers

“Shadow vulnerability”

Four of the vulnerabilities are tracked as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023, and Anyscale, Ray’s developer, fixed them. The fifth one, deemed a critical remote code execution (RCE) flaw by researchers, and tracked as CVE-2023-48022, was not fixed.

Anyscale argues that this was not a bug, but a feature: “The remaining CVE (CVE-2023-48022) – that Ray does not have authentication built in – is a long-standing design decision based on how Ray’s security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy,” it said.

As per the developers, this RCE flaw can only be abused in deployments that go against Anyscale’s recommendations and don’t limit Ray’s use to a strictly controlled network environment.

Oligo, on the other hand, says that by disputing the CVE, Anyscale is leaving many developers in the dark on the potential holes. “We have observed instances of CVE-2023-48022 being actively exploited in the wild, making the disputed CVE a “shadow vulnerability”—a CVE that doesn’t show up in static scans but can still lead to breaches and significant losses.”

The researchers said they observed “hundreds” of publicly exposed Ray servers, compromised via this vulnerability. As a result, threat actors were stealing sensitive data such as AI models, production database credentials, and more. In some instances they were even installing cryptominers.