Network Security


NEWS 
  • Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400

    April 22, 2024

    This threat brief is frequently updated as new threat intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made. Updated April 19 to include information on observed levels of attempted exploitation and relative prevalence of those levels, with unsuccessful ...

  • CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

    April 17, 2024

    On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 zero-day vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges ...

  • Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread

    April 16, 2024

    Last year, a command injection vulnerability, CVE-2023-1389, was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800). FortiGuard Labs has developed an IPS signature to tackle this issue. Recently, their researchers observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent “AGoent,” and ...

  • Critical takeover vulnerabilities in 92,000 D-Link devices under active exploitation

    April 8, 2024

    Hackers are actively exploiting a pair of recently discovered vulnerabilities to remotely commandeer network-attached storage devices manufactured by D-Link, researchers said Monday. Roughly 92,000 devices are vulnerable to the remote takeover exploits, which can be remotely transmitted by sending malicious commands through simple HTTP traffic. The vulnerability came to light two weeks ago. The researcher said ...

  • CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED)

    April 3, 2024

    Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. Minerva uses the open-source OpenSSL library for cryptographic functions and to support secure communications. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users (such as C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static\openssl.cnf). Rapid7 has ...

  • What we know about the xz Utils backdoor that almost infected the world

    April 1, 2024

    On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in xz Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close ...

  • Backdoor found in widely used Linux utility targets encrypted SSH connections

    March 29, 2024

    Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian. The compression utility, known as xz Utils, introduced the malicious code in versions ​​5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports ...

  • New Golang Trojan Installs Certificate for Comms Evasion

    March 25, 2024

    This week, the Sonicwall Capture Labs threat research team analyzed a new Golang malware sample. It uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the C2. There is currently no malware family affiliated, but the IP and URL addresses ...

  • Germany: Use of non-secure line behind Taurus talk leak to Russia

    March 5, 2024

    The Ministry of Defence blamed an unnamed individual’s improper use of a “non-secure data line” for the recent leak of a German army conversation about the Taurus weapon system to Russia. The mistake was made by the participant who took part in the conversation from Singapore and had dialled in via a “non-secure data line” such ...

  • Network tunneling with… QEMU?

    March 5, 2024

    While investigating an incident at a large company a few months ago, kaspersky researchers detected uncommon malicious activity inside one of the systems. They ran an analysis on the artifacts, only to find that the adversary had deployed and launched the following: The Angry IP Scanner network scanning utility The mimikatz password, hash, and Kerberos ticket extractor, and ...