• Researchers discover three-year old malicious package in PyPI
• The package is a typosquatted version of Fabric, with 37,000 downloads
• Its goal is to steal AWS login credentials from the developers

A malicious Python package has been hiding in the Python Package Index (PyPI) for years, stealthily stealing people’s Amazon Web Service (AWS) credentials.

Cybersecurity researchers Socket outlined how a package called “fabrice” was uploaded to the repository back in 2021 - before PyPl deployed its advanced scanning tool.

Since the tools did not scan retroactively, the package remained on the platform and was offered to the users.

Hidden Risk

PyPI is one of the most popular Python package repositories in the world, with millions of daily downloads and a half-million hosted packages.

Fabrice is a typosquatted version of the “fabric” library, a package for SSH-based remote server management, designed to simplify system administration and deployment tasks. It is primarily used for scripting and automating tasks across multiple servers, and enables users to run shell commands remotely over SSH.

According to BleepingComputer, it has more than 200 million downloads, making it extremely popular, however its typosquatted version did not fare too badly itself, being downloaded more than 37,000 times by the time it was identified as malicious.

Fabrice targets both Windows and Linux users, and while it comes with a number of features and persistence mechanisms, its key job is to steal Amazon Web Services accounts. Once identified, the malware exfiltrates them to a VPN server, apparently operated by the the connectivity and cloud services provider, M247, in Paris, France. That makes tracking the actual destination more difficult, it was said.

To defend against these attacks, businesses can do two things - make sure they know exactly what they’re downloading from the internet, and deploy AWS Identity and Access Management (IAM) to manage permissions to the resources.

Typosquatting on PyPI is a common occurrence these days, and is the root cause of some of the bigger software supply chain attacks today.

You might also like

• North Korean hackers are targeting Apple users with new macOS malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Palo Alto Networks says it's aware of claims of flaws in the firewalls
• Company is advising users to be extra cautious and tighten up on security
• A patch will be deployed when more details about the bug are found

Palo Alto Networks has revealed it was recently made aware of an alleged vulnerability in its firewall offering which could allow threat actors to remotely execute malicious code.

Since it doesn’t know the details of the flaw, and is yet to see any evidence of in-the-wild abuse, the company says it doesn’t have a patch lined up just yet, but said it was “aware of a claim” of a remote code execution vulnerability in the PAN-OS management interface and has, as a result, started actively monitoring for signs of exploitation.

In the meantime, Palo Alto Networks has advised its users to be extra cautious, noting: “At this time we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk."

Mitigating the problem

“In particular, we recommend that you ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice,” the company added.

BleepingComputer found a separate document on Palo Alto Networks' community website, with additional information on how to secure the firewalls:

• Isolate the management interface on a dedicated management VLAN.
• Use jump servers to access the mgt IP. Users authenticate and connect to the jump server before logging in to the firewall/Panorama.
• Limit inbound IP addresses to your mgt interface to approved management devices. This will reduce the attack surface by preventing access from unexpected IP addresses and prevents access using stolen credentials.
• Only permit secured communication such as SSH, HTTPS.
• Only allow PING for testing connectivity to the interface.
  

At the moment, Cortex Xpanse and Cortex XSIAM users seem to be the most vulnerable ones. Prisma Access and cloud NGFW are most likely not affected.

Via BleepingComputer

You might also like

• Thousands of D-Link NAS devices have serious backdoor security issues
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Hybrid work is becoming more common, ONS figures show
• Over 30s are more likely to work hybrid
• Workers with no qualifications are less likely to WFH

New research from the Office for National Statistics (ONS) has claimed although the number of people working from home has declined since 2021, hybrid working is the new normal for over a quarter of working adults in the UK (28%).

Hybrid working is most common for workers over 30, with 29% enjoying such a pattern, compared to just 19% of those aged 16-29. There are a few reasons likely to be behind this, with over 30s more likely to be parents and hold managerial positions, which both make them more likely to work a hybrid pattern.

Perhaps unsurprisingly, the IT industry has the highest share of hybrid workers (49%), followed closely by ‘professional, scientific, and technical activities workers (42%). Those least likely to work from home are construction, transportation, and food services.

Time for a lie in?

The report found much of the time hybrid workers saved when not having to commute is spent either sleeping and resting, or with exercise, sports, and well-being.

Workers who have children are more likely to have a hybrid schedule, so the extra time for sleep is probably much needed.

Graduates or workers with a degree equivalent are ten times more likely to chose hybrid work than those with no qualifications (42% compared to 4%), and senior professionals like managers and directors (45%) are also much more likely than their service occupation counterparts to work hybrid patterns (3%).

Reports of hybrid working becoming the standard for a number of professions aren’t new, but research has shown that one of the obstacles to this is a lack of proper tech.

Splashing out on tech tools for employees may not be a priority for many companies, but hybrid work can improve productivity and happiness amongst workers, so it’s a worthwhile investment.

You might also like

• Take a look at our pick of the best laptop for working from home
• Unsurprisingly, workers who are able to work from home are happier at their jobs
• Check out our choices for best remote desktop software

• Scammers are targeting pensioners with phishing scams
• Fake winter fuel support texts have been sent to trick victims
• Phishing scams are on the rise, increasingly targeting older victims

With the cost of living crisis and the recent introduction of a means tested winter fuel payment, many in the UK are looking for guidance and support this winter- but scammers are taking advantage of the confusion by sending fake ‘winter heating allowance’ and ‘cost of living support’ texts.

The texts have been sent to UK residents, encouraging the recipient to click on a link that takes them to a webpage made to mimic the official GOV.UK website, where they are prompted to fill in a form with personal information and payment details.

Scammers often try to create a sense of urgency to panic victims into action without the time to think through the implications or details that may look out of place. This scam is no different, with the text telling victims that this is the ‘last notice’ before the deadline.

600 domains identified

Researchers from BleepingComputer identified 597 unique domains related to this campaign, which shows how far reaching the threat is. Similar campaigns have been observed in Lancashire and Belfast, using fake regional support networks to trick victims.

“Please note that the government has decided that the Winter heating_allowance and Cost of Living_support for 2024 have been fully implemented, you have met the requirements,” the text obtained by researchers reads.

“Please be sure to fill in the application information as soon as possible, we will release the money to you within 3days, please note that check, this will be the last notice to you, the online application channel deadline is November 12,” it continued.

By promising a payout but imposing a fake deadline, the scammers create a false sense of urgency so that victims don't are hurried into entering sensitive information.

Phishing scams are on the rise, and are becoming harder to spot, we always recommend taking your time, not clicking any links from untrusted sources, and always getting a second opinion if you aren’t sure.

Via BleepingComputer

You might also like

• Take a look at our pick of the best malware removal
• Quishing is the new QR code scam you need to watch out for
• Check out our choices for best antivirus software

• Research shows that Manifest V3 could suffer from security issues
• The upgraded Chromium manifest still allows malicious extensions
• Some security tools struggle to identify dangerous extensions

Browser extensions have long been a convenient tool for users, enhancing productivity and streamlining tasks. However, they have also become a prime target for malicious actors looking to exploit vulnerabilities, targeting both individual users and enterprises.

Despite efforts to enhance security, many of these extensions have found ways to exploit loopholes in Google’s latest extension framework, Manifest V3 (MV3).

Recent research by SquareX has revealed how these rogue extensions can still bypass key security measures, exposing millions of users to risks such as data theft, malware, and unauthorized access to sensitive information.

Browser extensions now pose greater threats

Google has always struggled with the issues of extensions in Chrome. In June 2023, the company had to manually remove 32 exploitable extensions that were installed 72 million times before they were taken down.

Google’s previous extension framework, Manifest Version 2 (MV2), was notoriously problematic. It often granted excessive permissions to extensions and allowed scripts to be injected without user awareness, making it easier for attackers to steal data, access sensitive information, and introduce malware.

In response, Google introduced Manifest V3, which aimed to tighten security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was expected to resolve the vulnerabilities present in MV2, SquareX’s research shows that it falls short in critical areas.

Malicious extensions built on MV3 can still bypass security features and steal live video streams from collaboration platforms like Google Meet and Zoom Web without needing special permissions. They can also add unauthorized collaborators to private GitHub repositories, and even redirect users to phishing pages disguised as password managers.

Furthermore, these malicious extensions can access browsing history, cookies, bookmarks, and download history, in a similar way to their MV2 counterparts, by inserting a fake software update pop-up that tricks users into downloading the malware.

Once the malicious extension is installed, individuals and enterprises cannot detect the activities of these extensions, leaving them exposed. Security solutions like endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) cannot dynamically assess browser extensions for potential risks.

To address these challenges, SquareX has developed several solutions aimed at improving browser extension security. Their approach includes fine-tuned policies that allow administrators to decide which extensions to block or permit based on factors such as extension permissions, update history, reviews, and user ratings.

This solution can block network requests made by extensions in real-time, based on policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a modified Chromium browser on its cloud server, providing deeper insights into the behavior of potentially harmful extensions.

“Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence," noted Vivek Ramachandran, Founder & CEO of SquareX.

"This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.”

“Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” Ramachandran added.

You might also like

• Watch out - browser updates could be malware
• Here's a list of the best firewalls around today
• These are the best antivirus tools right now

• Phishing attacks are becoming more complex and harder to detect
• Attackers are using new techniques such as QR codes and deepfakes
• Some businesses are receiving 36 phishing emails per day

Phishing attacks are consistently on the rise and becoming more sophisticated, as cybercriminals no longer rely solely on basic email schemes, instead incorporating new tactics such as QR code phishing (quishing), AI-powered attacks, and multi-channel phishing to enhance their effectiveness.

A new Egress report has revealed phishing attacks spiked in the second quarter of 2024, with a 28% rise in the number of phishing emails compared to the first quarter.

Phishing attacks are also becoming more sophisticated. Cybercriminals now use a variety of new tactics to bypass secure email gateways (SEGs) and native defenses like Microsoft 365’s security features. In Q2 2024 alone, there was a 52.2% increase in phishing attacks that successfully bypassed SEG detection.

Commodity attacks - a mass-produced threat

One type of phishing that has seen a notable increase in 2024 is commodity attacks. These are mass-produced, malicious campaigns that impersonate well-known brands on a large scale to trick users into clicking on fake promotions, images, or hyperlinks.

The report reveals that during these attacks, organizations experience a staggering 2,700% increase in phishing attempts, with organizations over the 2,000 employee mark would have to deal with over 1,128 phishing emails over 31 days, which is about 36 phishing emails per day. The sheer volume of these attacks can overwhelm many companies' security systems, making it increasingly difficult to prevent every malicious email from reaching an employee's inbox.

One of the methods used to bypass SEG is HTML smuggling, where attackers hide malicious scripts inside HTML attachments. Once opened by the user, the script assembles itself on the victim’s device, bypassing traditional signature-based detection. Another tactic involves embedding phishing links within seemingly legitimate documents or exploiting vulnerabilities in trusted websites to host malware.

Businesses must now implement advanced security measures and foster a culture of awareness to better protect themselves against the growing threat of phishing.

Phishing attacks are increasingly using AI-powered tools to scale their operations. AI allows cybercriminals to automate and personalize phishing campaigns, making them more convincing and harder to detect. Deepfakes and AI-generated chatbots are now major tools of choice for cybercriminals.

These technologies allow attackers to impersonate trusted individuals or organizations, further increasing the likelihood of success. This year, there has been a significant rise in "payloadless" attacks which rely solely on social engineering rather than traditional malicious attachments or links, accounting for nearly 19% of phishing attempts in 2024, up from 5.4% in 2021.

Cybercriminals are also using multi-channel phishing tactics, allowing hackers to target victims across multiple platforms such as email, SMS, and even collaboration platforms like Microsoft Teams. This multi-channel approach has become more common in 2024, exploiting the relative lack of security on non-email platforms.

You might also like

• New method for phishing discovered for Android and IPhone users
• Here's a list of the best firewalls today
• These are the best antivirus services right now

• Github repositories are being infected with malware
• Trusted repositories can bypass secure web gateways
• Github comments are also being used to hide malicious files

In a new phishing campaign detected by Cofense Intelligence, threat actors used a novel approach by leveraging trusted GitHub repositories to deliver malware. The campaign is aimed at exploiting the inherent trust many organizations place in GitHub as a developer platform.

Instead of creating malicious repositories, attackers chose to embed malware into legitimate ones affiliated with tax organizations such as UsTaxes, HMRC, and Inland Revenue.

This allowed them to bypass Secure Email Gateway (SEG) protections, posing a significant challenge to cybersecurity defenses. The attack also capitalized on the sense of urgency tied to filing taxes after the April deadline in the US.

Phishing tactic – abuse of trusted repositories

Emails associated with the campaign contained links to archives hosted on GitHub. Unlike traditional phishing attacks that rely on suspicious links or attachments, these emails appeared credible because the GitHub repositories used were legitimate and well-known, and can circumvent Secure Web Gateways.

The archive files linked in the emails were password protected, a tactic used to add an air of legitimacy. This protection also made it more difficult for malware scanners to detect and inspect the contents of the archive. Once opened, the password-protected files installed Remcos Remote Access Trojan (RAT) on the victim’s system, granting attackers remote control over the infected device.

A key component of this campaign was the use of GitHub comments to upload malicious files. GitHub comments are typically used by developers to communicate about a repository’s content, propose changes, or document issues. However, attackers exploited this feature by uploading malware-laden files within comments rather than the repository’s source code, allowing them to circumvent the usual security protocols and ensure that the malware remained hidden.

Even if the original comment containing the malware link was deleted, the malware itself remained accessible through the repository’s file directory. This method has been used before, most notably with the Redline Stealer malware, but this campaign represents a significant escalation in the use of GitHub comments as a malware distribution vector.

The campaign primarily targeted the financial and insurance industries, with both sectors being particularly vulnerable during tax season, as they handle a large volume of sensitive financial data.

The attackers appear to have been testing the waters with a smaller campaign, focusing on these two industries. Previous phishing campaigns using techniques like QR codes had broader targets, but the narrower focus of this attack suggests the threat actors were experimenting with the GitHub-based method before scaling up.

Phishing campaigns remain one of the most persistent and effective tactics used by cybercriminals to gain unauthorized access to sensitive information.

These attacks typically involve deceptive emails or messages that trick users into clicking malicious links, downloading harmful attachments, or revealing personal details.

Over the years, phishing techniques have evolved, becoming more sophisticated and harder to detect. Cybercriminals now leverage trusted platforms, disguise malicious intent behind legitimate-looking messages, and use advanced social engineering techniques.

You might also like

• Microsoft just gave GitHub a load of new Copilot tools
• Sales tax scares off UK businesses
• Take a look at the best malware removal

• New custom malware loader written in JPHP is wreaking havoc
• The custom payload is difficult to detect using cybersecurity tools
• The malware-loader can deploy custom payloads as required

Trustwave SpiderLabs says it has recently uncovered a new form of malware known as Pronsis Loader, which is already causing trouble due to its unique design and tactics.

Pronsis Loader makes use of JPHP, a lesser-known programming language rarely utilized by cybercriminals, and alsoemploys advanced installation techniques, making it more challenging for cybersecurity systems to detect and mitigate.

JPHP, a variation of the popular PHP language, is rarely seen in the world of malware development. While PHP is commonly used for web applications, its integration into desktop malware development is unusual, giving Pronsis Loader an advantage in avoiding detection.

JPHP – a rare choice in cybercrime

Pronsis Loader can evade signature-based detection systems, which are typically designed to recognize more common programming languages in malware. JPHP gives the malware a layer of “stealth” allowing the malware to fly under the radar of many security tools.

The malware also uses obfuscation and encryption methods to hide its presence during the initial infection phase. Upon execution, it deploys complex methods to avoid triggering traditional antivirus software and endpoint protection systems. The loader first installs itself silently in the system, disguising its activities by mimicking legitimate processes or applications, making it difficult for both automated security tools and human analysts to spot.

Once installed, Pronsis Loader can download and execute additional malware, including ransomware, spyware, or data exfiltration tools. This modular approach makes the malware highly flexible, allowing attackers to tailor the final payload based on the target’s system or environment. Pronsis Loader is part of an increasing trend in malware development where attackers use loaders as a first step in multi-stage attacks. These loaders, designed to introduce other malware into a system, provide attackers with flexibility.

To combat these evolving threats, security teams should adopt more advanced monitoring and analysis methods, such as behavior-based detection, which can identify malware by its actions rather than its code signatures alone. Additionally, continuous updates to threat intelligence can help identify the use of rare languages and methods like those employed by Pronsis Loader.

"Pronsis Loader marks a notable shift in how cybercriminals are deploying malware, employing JPHP and silent installations to evade traditional detection methods. Its ability to deliver high-risk payloads like Lumma Stealer and Latrodectus makes it particularly dangerous,” said Shawn Kanady, Global Director of Trustwave SpiderLabs.

“Our research uncovers not only the malware’s unique capabilities but also the infrastructure that could be leveraged in future campaigns to give security teams a chance to strengthen their defences,” Kanady added.

You might also like

• This dangerous new malware also has ransomware capabilities
• Dangerous new 'Hook' Android malware lets hackers remotely control your phone
• These are the best VPNs with antivirus

• BlueNoroff seen targeting crypto businesses with new piece of malware
• The malware establishes persistence and opens up a back door
• It can download additional payloads, run Shell commands, and more

Devious North Korean state-sponsored threat actors known as BlueNoroff have been spotted deploying a brand new piece of malware to attack their victims.

Cybersecurity researchers SentinelLabs sounded the alarm on the new campaign, noting BlueNoroff is a subgroup of Lazarus, an infamous North Korean organization that mostly targets cryptocurrency businesses and individuals in the West. It is attributed with some of the biggest crypto heists in history.

Usually, the group would “groom” their victims on social media, before deploying any malware. In this campaign, however, they’ve decided for a more direct approach.

Hidden Risk

As SentinelLabs explains, BlueNoroff targets its victims, mostly crypto businesses, with a phishing email seemingly forwarded from a crypto influencer.

The email contains fake news about the latest developments in the cryptocurrency sector, in the form of a .PDF file that redirects victims to a website under the attackers’ control. That website will sometimes serve a benign Bitcoin ETF document, and sometimes a malicious file called “Hidden Risk Behind New Surge of Bitcoin Price.app”.

The name is taken from a genuine academic paper from the University of Texas, the researchers added. The entire campaign is thus named “Hidden Risk”.

The malware comes in multiple stages. The first stage is a dropper app, signed with a valid Apple Developer ID, which was revoked in the meantime. This dropper will download a decoy PDF file which should keep the victim busy while the second-stage payload is deployed in the background.

This payload is called “growth”, and its goal is to establish persistence and open up a back door to the infected device. It only works on macOS devices, running on Intel or Apple silicon, with the Rosetta emulation framework. The final stage is to check in with the C2 server for new commands every minute, which include downloading and running additional payloads, running shell commands, or terminating the process.

The campaign has been active for at least a year, the researchers said.

Via BleepingComputer

You might also like

• North Korean hackers are targeting Apple users with new macOS malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers spot new phishing campaign distributing Rhadamanthys infostealer
• The crooks are impersonating entertainment, media, and tech firms
• The campaign is automated and abuses Gmail

Scammers have been spotted sending out fake copyright infringement violation claims as part of a new phishing campaign aiming to spread the latest version of the Rhadamanthys Stealer malware.

Cybersecurity researchers Check Point Software, who dubbed the campaign CopyRh(ight)adamanthys, noted the crooks were casting a wide net, targeting as many companies as possible.

At the same time, they were also impersonating a large number of different organizations, but due to their high online presence, and frequent copyright-related issues, the majority (70%) were from the entertainment, media, and tech industries.

End of life

Despite Rhadamanthys being a powerful infostealer, this doesn’t seem to be a campaign orchestrated by a nation-state. Rather, the group behind the attack is most likely financially motivated. In its attack, the group uses dedicated Gmail accounts, sometimes targeting the same victim from multiple addresses. They also seem to be using AI capabilities efficiently, not just to create convincing phishing emails, but also to automate the attacks, as well.

The key of the campaign, Check Point Software argued, is to implement an updated version of Rhadamanthys. The author claims this version comes with advanced AI-driven features, a claim that was apparently refuted. The tool was proven to use older machine learning techniques, seen in optical character recognition (ORC) software.

“The attackers may be leveraging AI-enhanced automation tools to create phishing content and manage the high volume of Gmail accounts and diversified phishing needed for the campaign,” the researchers concluded.

The Rhadamanthys infostealer is a type of malware designed to steal sensitive information from infected systems, including login credentials, browser data, and cryptocurrency wallet details. It operates by capturing data from popular web browsers, email clients, and other applications where users may store credentials or personal information.

The tool can also log keys and record keystrokes, as alternative means of stealing passwords and other sensitive data. The malware is often distributed through phishing campaigns and malicious attachments.

You might also like

• That Google Meet invite could be a fake, hiding some dangerous malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• HPE releases patch for six serious security vulnerabilities
• The bugs affected multiple products, and could be used in destructive cyberattacks
• Patching is advised, but workarounds are available

Two critical security bugs were found plaguing Hewlett Packard Enterprise (HPE) endpoints, the company has confirmed, as it released a patch and follow-up security advisory.

As per the bulletin, multiple Aruba Networking Access Points (AP), powered by thee Instant AOS-8 and AOS-10 operating systems, were vulnerable to a total of six flaws, which allowed crooks to mount authenticated remote command execution attacks, create arbitrary files, perform unauthenticated command injection, and more.

Of the six, two were particularly dangerous: CVE-2024-42509, and CVE-2024-47460. These were assigned severity scores 9.8 and 9.0, and could have been abused by sending specially crafted packets to Aruba’s Access Point management protocol (PAPI).

End of life

The remaining four vulnerabilities are tracked as CVE-2024-47461, CVE-2024-47462, CVE-2024-47463, and CVE-2024-47464.

All of them plague AOS-10.4.x.x: 10.4.1.4 and older releases, Instant AOS-8.12.x.x: 8.12.0.2 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and older versions.

If your product is older, and isn’t among the ones listed here, then it’s likely reached its end-of-life status and as such will not be patched. In such cases, HPE advises users to replace the instance with a newer model that is still supported.

Those who are still under HPE’s support should update their access points to these versions:

AOS-10.7.x.x: Update to version 10.7.0.0 and later.
AOS-10.4.x.x: Update to version 10.4.1.5 or later.
Instant AOS-8.12.x.x: Update to version 8.12.0.3 or newer.
Instant AOS-8.10.x.x: Update to version 8.10.0.14 or above

There are also workarounds for those who cannot install the patch immediately, which include blocking access to UDP port 8211 from all untrusted networks, restricting access to the CLI and web-based management interfaces, and controlling access with firewall policies at layer 3 and higher.

At press time, there was no evidence of in-the-wild abuse.

Via BleepingComputer

You might also like

• Major Palo Alto security flaw is being exploited via Python zero-day backdoor
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• A bug Palo Alto addressed last summer is being abused in the wild
• CISA added it to its KEV catalog, giving federal agencies a deadline to patch
• The bug can be abused to take over accounts and steal data

A critical bug found in Palo Alto Networks’ Expedition program is being abused in the wild, the US government has warned.

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-5910 to its Known Exploited Vulnerabilities (KEV) catalog, which means there is evidence of abuse in the wild.

This vulnerability, discovered in Expedition in the summer of 2023, is described as a “missing authentication for a critical function” bug, which can lead to Expedition admin account takeover for crooks with network access. Since Expedition is a tool that helps with configuration migration, tuning, and enrichment, it may contain secrets, credentials, and other data, which would then be at risk of theft.

Proof of concept

Users are advised to apply a patch immediately, since the vulnerability allows threat actors to take over admin accounts, steal sensitive data, and more.

When CISA adds a vulnerability to KEV, it gives federal agencies a deadline to patch it, or stop using the afflicted applications completely. The due date for Palo Alto Networks Expedition is November 28, 2024.

CISA did not share any further details about the attacks, but BleepingComputer dug up a report from Horizon3.ai, who released a proof-of-concept exploit in October 2024. By chaining the bug with CVE-2024-9464, crooks could gain unauthenticated arbitrary command execution capabilities on vulnerable Expedition servers.

This additional vulnerability was also discovered, and patched, last month. Palo Alto Networks said it could have been used to take over admin accounts in firewalls, and take over PAN-OS instances.

For those unable to install the patch immediately, a workaround is available, which includes restricting Expedition network access to authorized users, hosts, and networks, only.

"All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition. All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating," Palo Alto Networks concluded.

Via BleepingComputer

You might also like

• Major Palo Alto security flaw is being exploited via Python zero-day backdoor
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now