Security News

Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades
2024-04-30 12:44

There are proof-of-concept techniques allowing attackers to achieve persistence on Palo Alto Networks firewalls after CVE-2024-3400 has been exploited, the company has confirmed on Monday, but they are "Not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability." On April 12, Palo Alto Networks warned about limited attacks against internet-exposed firewalls, likely by a state-backed threat actor, who managed to install backdoors, grab sensitive data, and move laterally through target organizations' networks.

Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
2024-04-24 18:26

A state-sponsored threat actor has managed to compromise Cisco Adaptive Security Appliances used on government networks across the globe and use two zero-day vulnerabilities to install backdoors on them, Cisco Talos researchers have shared on Wednesday."On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with 'client-services' or HTTPS management access," the researchers explained.

PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389)
2024-04-24 11:52

More details of and a proof-of-concept exploit for an unauthenticated OS command injection vulnerability in Flowmon, Progress Software's network monitoring/analysis and security solution, have been published. The critical vulnerability has been disclosed and patched by Progress earlier this month.

Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)
2024-04-23 13:50

For nearly four years and perhaps even longer, Forest Blizzard has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service. Dubbed GooseEgg, the tool is a launcher application that can spawn other applications with SYSTEM-level permissions, thus helping the hackers to perform remote code execution, install backdoors, steal credentials, and more.

CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040)
2024-04-23 09:50

A vulnerability in enterprise file transfer solution CrushFTP is being exploited by attackers in a targeted fashion, according to Crowdstrike. According to Censys, there are currently 9,600+ publicly-exposed CrushFTP hosts, mostly in North America and Europe.

Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204)
2024-04-18 11:59

The newest version of Ivanti Avalanche - the company's enterprise mobile device management solution - carries fixes for 27 vulnerabilities, two of which are critical and may allow a remote unauthenticated attacker to execute arbitrary commands on the underlying Windows system. Both critical vulnerabilities are heap overflow bugs: CVE-2024-29204 is in the WLAvalancheService, and CVE-2024-24996 in the WLInfoRailService component of Ivanti Avalanche before v6.4.3, and may allow unauthenticated remote attackers to execute arbitrary commands on vulnerable systems.

PuTTY vulnerability can be exploited to recover private keys (CVE-2024-31497)
2024-04-16 16:36

A vulnerability in PuTTY, a popular SSH and Telnet client, could allow attackers to recover NIST P-521 client keys due to the "Heavily biased" ECDSA nonces, researchers have discovered. According to PuTTY maintainers, 521-bit ECDSA is the only affected key type.

CVE-2024-3400 exploited: Unit 42, Volexity share more details about the attacks
2024-04-12 19:05

Earlier today, Palo Alto Networks revealed that a critical command injection vulnerability in the company's firewalls has been exploited in limited attacks and has urged customers with vulnerable devices to quickly implement mitigations and workarounds. Palo Alto Networks' Unit 42 and Volexity have now released threat briefs with more information about the attacks, threat hunting queries, YARA rules, and indicators of compromise.

Palo Alto Networks firewalls under attack, hotfixes incoming! (CVE-2024-3400)
2024-04-12 07:32

Attackers are exploiting a command injection vulnerability affecting Palo Alto Networks' firewalls, the company has warned, and urged customers to implement temporary mitigations and get in touch to check whether their devices have been compromised."Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability," they said, and thanked Volexity researchers for flagging the issue.

Microsoft patches two actively exploited zero-days (CVE-2024-29988, CVE-2024-26234)
2024-04-09 19:27

On this April 2024 Patch Tuesday, Microsoft has fixed a record 147 CVE-numbered vulnerabilities, including CVE-2024-29988, a vulnerability that Microsoft hasn't marked as exploited, but Peter Girnus, senior threat researcher with Trend Micro's Zero Day Initiative, has found being leveraged by attackers in the wild. Microsoft has fixed 24 vulnerabilities that may allow attackers to bypass Windows Secure Boot, a security feature that aims to prevent malware from loading when PCs boot up.