Cyber Threat Intelligence Report | 11/18/2024 | PacketWatch

This week we briefed our clients on the Top 15 Exploited Vulnerabilities of 2023, 0-Day Vulnerabilities, and a new ransomware gang called Interlock.

 KEY TAKEAWAYS 

• The top 15 exploited vulnerabilities of 2023 published by 5 Eyes. Learn how to best protect your organization against these threats.
• New ransomware gang ‘Interlock’ leveraging ‘fake browser update’ scam to gain initial access.
• Critical and high-severity vulnerabilities in Palo Alto, PostgreSQL, and HPE Aruba. Patch now!

Top Exploited Vulnerabilities of 2023

The FBI, NSA, and cybersecurity agencies from the "Five Eyes" nations released a joint advisory detailing the top 15 exploited vulnerabilities of 2023. One of the key takeaways from the advisory is a significant number of these vulnerabilities began as 0-days (exploited before there was a patch from the vendor). Many of these vulnerabilities, such as the Citrix NetScaler and Fortinet SSL-VPN flaws, continued to be leveraged by ransomware groups long after patches were released.

Also of note are CVE-2020-1472, a Microsoft privilege escalation vulnerability known as Zero Logon, and CVE-2021-44228, the infamous Log4j remote code execution (RCE) vulnerability. Both of these vulnerabilities are several years old and have had countless advisories urging organizations to patch, yet they still remain some of the most commonly exploited vulnerabilities in the wild.

In addition to the top 15 exploited vulnerabilities shown below, the full report lists 32 additional vulnerabilities that are commonly exploited. Administrators are strongly encouraged to review the full list and ensure all appropriate security patches have been applied.

What to do about 0-Days?

By its very definition, a 0-day vulnerability is one that has no patch from the vendor. A 0-day vulnerability in an externally facing asset such as a VPN or firewall can be a major security issue, as it could allow an attacker to gain a foothold in the network without detection. While preventing direct exploitation of a 0-day can often be impossible, there are multiple mitigation strategies that can reduce the likelihood of full network compromise if one is exploited:

• Asset Discovery - Knowing exactly what devices are on the network is a crucial part of any patch management program. Additionally, having full knowledge of network devices and their topology will enable the most comprehensive network monitoring possible, as well as ensuring other security controls (such as EDR) are deployed to every possible device.
• Enforce phishing-resistant multi-factor authentication (MFA) for all users, especially on VPN connections.
• Configure access control under the principle of least privilege.
• Ensure all internet-facing devices are properly configured. This includes removing default accounts and passwords, as well as disabling unused or unnecessary ports, protocols, and services.
• Continuously monitor the attack surface with EDR and network monitoring tools.
• Leverage 3^rd party experts to assess security framework adherence (CIS, NIST), conduct vulnerability scans and discovery, and provide security posture reviews.
• For additional steps and resources, administrators are strongly encouraged to read the full advisory here.

Fig 1. Top 15 Exploited Vulnerabilities of 2023  Source: BleepingComputer

Resources:

• https://media.defense.gov/2024/Nov/12/2003581596/-1/-1/0/CSA-2023-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF

• https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3961769/cisa-nsa-and-partners-issue-annual-report-on-top-exploited-vulnerabilities/
  

• https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-most-exploited-vulnerabilities-of-2023/

Emerging Threat - Interlock Ransomware

On November 7, researchers at Cisco Talos published a detailed blog on newly observed TTPs from Interlock Ransomware. This group is very new, only just appearing in public reporting in September 2024. They have been targeting a wide range of industry verticals across the U.S. and Europe. 

One aspect of this group that is different from most ransomware groups is their method for initial access. Per public reporting, they gain access to a victim network by first compromising a legitimate news website. When the victim visits the compromised site, they get a fake "browser update" message, encouraging them to download a malicious file disguised as a Chrome update. The malicious update file is downloaded from legitimate (compromised) sites, but a real Chrome updater is downloaded from an attacker-controlled site, 'apple-online[.]shop'. PacketWatch has directly observed this initial access activity and can confirm that it is detected and blocked by CrowdStrike.

How to Protect Your Organization

• Ensure updated and properly configured EDR is deployed on every endpoint.
• Block traffic to/from apple-online[.]shop.
• Educate users regarding "fake browser update" attacks. This attack method is increasingly common for malware distribution. Inform users of the software update practices at your organization so they know what to look for.
• Additional IOCs published by Talos can be found here.

Resources:

• https://blog.talosintelligence.com/emerging-interlock-ransomware/

• https://github.com/Cisco-Talos/IOCs/blob/main/2024/11/emerging-interlock-ransomware.txt

Vulnerability Roundup

Palo Alto RCE 0-day Under Active Exploitation

A critical vulnerability in Palo Alto Next-Generation Firewall management interfaces is currently being actively exploited. The issue was initially reported on November 8, but a week later Palo Alto issued a bulletin stating the remote code execution vulnerability, currently tracked as PAN-SA-2024-0015, is being abused by unknown threat actors. Any Palo Alto firewall with the management interface exposed to the internet is at risk. Per the Palo Alto bulletin, administrators are urged to take the following precautions:

• "Never enable access to your management interface from the internet or from other untrusted zones"
• Isolate the management interface on a dedicated management VLAN.
• Use jump servers to access the management IP. Users authenticate and connect to the jump server before logging in to the firewall/Panorama.
• Limit inbound IP addresses to your mgt interface to approved management devices. This will reduce the attack surface by preventing access from unexpected IP addresses and prevent access using stolen credentials.
• Only permit secured communication such as SSH, HTTPS.

• Only allow PING for testing connectivity to the interface.

• https://security.paloaltonetworks.com/PAN-SA-2024-0015
  

• https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
  

• https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-critical-rce-zero-day-exploited-in-attacks/

Critical Palo Alto Vulnerabilities Added to CISA KEV

In the past two weeks, three vulnerabilities for Palo Alto Expedition devices have been added to CISA's Known Exploited Vulnerabilities (KEV) catalogue. CVE-2024-5910, an authentication vulnerability patched in July was added November 7. CVE-2024-9463, a command injection vulnerability, and CVE-2024-9465, a SQL injection vulnerability, both patched in early October, were added on November 14. Administrators are urged to apply security updates to these devices as soon as possible.

• https://www.cve.org/CVERecord?id=CVE-2024-5910
  

• https://www.cve.org/CVERecord?id=CVE-2024-9463
  

• https://www.cve.org/CVERecord?id=CVE-2024-9465
  

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  

• https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog
  

• https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-palo-alto-networks-bug-exploited-in-attacks/
  

• https://thehackernews.com/2024/11/cisa-flags-critical-palo-alto-network.html

PostgreSQL High-Severity Flaw

A high-severity flaw was discovered in PostgreSQL databases that can allow for an unprivileged database user to modify environment variables, which can potentially lead to code execution. This vulnerability is tracked as CVE-2024-10979. Administrators are urged to update their database to one of the following versions: 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21 as soon as possible.

• https://www.postgresql.org/support/security/CVE-2024-10979/
  

• https://www.varonis.com/blog/cve-postgresql-pl/perl
  

• https://thehackernews.com/2024/11/high-severity-flaw-in-postgresql-allows.html

HPE Aruba Critical Vulnerabilities

A series of new vulnerabilities were disclosed by HPE for their Aruba Networking Access Point products, which include 2 critical command injection vulnerabilities that could result in unauthorized remote code execution (RCE). These issues are tracked as CVE-2024-42509 and CVE-2024-47460.  Administrators are urged to upgrade to the following applicable versions:

• AOS-10.7.x.x: 10.7.0.0 and above
• AOS-10.4.x.x: 10.4.1.5 and above
• Instant AOS-8.12.x.x: 8.12.0.3 and above
• Instant AOS-8.10.x.x: 8.10.0.14 and above

Additional recommendations from the vendor include enabling cluster security via the 'cluster-security' command for devices running Instant AOS-8 code. For AOS-10 devices it is instead recommended to restrict access to port UDP/8211 and only allow access from trusted networks.

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US
  

• https://thehackernews.com/2024/11/hpe-issues-critical-security-patches.html

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.