Media Coverage

Exploit code is now available for a maximum severity and actively exploited vulnerability in Palo Alto Networks’ PAN-OS firewall software.

Tracked as CVE-2024-3400, this security flaw can let unauthenticated threat actors execute arbitrary code as root via command injection in low-complexity attacks on vulnerable PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the device telemetry and GlobalProtect (gateway or portal) feature are enabled.

While Palo Alto Networks has started releasing hotfixes on Monday to secure unpatched firewalls exposed to attacks, the vulnerability has been exploited in the wild as a zero-day since March 26th to backdoor firewalls using Upstyle malware, pivot to internal networks, and steal data by a threat group believed to be state-sponsored and tracked as UTA0218..

Security threat monitoring platform Shadowserver says it sees more than 156,000 PAN-OS firewall instances on the Internet daily; however, it doesn’t provide information on how many are vulnerable.

The Common Good Cyber initiative, a collaborative effort aimed at addressing the challenge of sustaining nonprofit and public interest organizations involved in critical cybersecurity functions, announces the release of its workshop report. The report encapsulates insights and outcomes from a landmark gathering held in February 2024 at the National Press Club in Washington, D.C., United States.

The workshop, jointly organized by leading cybersecurity organizations including the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams (FIRST), the Global Cyber Alliance, the Institute for Security and Technology (IST), and the Shadowserver Foundation, convened over 100 stakeholders representing various sectors including government, multilateral organizations, civil society, foundations, business, and academia. An additional 200 participants joined online to discuss the systemic underfunding of cybersecurity nonprofits and explore sustainable funding approaches.

First, our focus is on disrupting illegal cyber activity before it can cause harm and threaten national security. Drawing from our CT playbook, it’s a threat-driven and victim-centered approach. While we always look to make arrests where possible, our law enforcement disruptions can take many forms.

Not long ago, such law enforcement disruption operations occurred at most once per year. But, so far this year, the Department has announced already three significant such operations, two of which were spearheaded by NSD, alongside our U.S. Attorney’s Office and FBI partners.

It deserves emphasizing that this is a team sport: Even as the operations relied on Justice Department legal process, we are often not alone in planning or executing them. We are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work.

In disrupting the GRU botnet, for example, we planned and coordinated with the Shadowserver Foundation, Microsoft, and other private sector partners. Shortly after we announced the operation, the FBI, NSA, Cyber Command, and 11 foreign partner entities released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU’s relevant tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders.

The cybersecurity community is on high alert after uncovering a serious flaw in Ivanti VPN devices, tracked as CVE-2024-21894. This critical vulnerability holds grave consequences for entities relying on Ivanti for secure remote access. The threat posed by this exploit is considerable, as it could allow unauthorized remote control over affected systems, endangering both operational integrity and the confidentiality of sensitive information. Businesses employing Ivanti’s VPN must act swiftly to implement necessary safeguards.

The Shadowserver Foundation’s extensive network scanning has cast a spotlight on a significant security concern—a widespread vulnerability in the Ivanti VPN software, evidenced by the startling discovery of over 16,000 instances at risk to the critical vulnerability designated as CVE-2024-21894. The Shadowserver Foundation has played a crucial role in unmasking the extent of exposure, which suggests that the issue is not isolated but rather prevalent, raising the alarm on an international scale. Encouragingly, a follow-up check conducted by Shadowserver as of April 7 indicated a reduction in the number of vulnerable instances—to about 10,000.

Shadowserver stands as a key player in the cybersecurity field, relentlessly scanning the internet to pinpoint vulnerabilities. Their role is critical; by detecting and alerting firms to security gaps, they enable proactive defense strategies. Their efforts reflect a significant, broader principle in cybersecurity: collaboration is essential. As a vigilant entity that assists with early threat detection and raises community awareness about evolving digital dangers, Shadowserver functions as a vital component in the fight to protect online environments against nefarious elements. By doing so, they are not just guards but catalysts of collective cyber resilience, underscoring the shared responsibility in defending cyber spaces. Through Shadowserver’s dedication, the digital world becomes a bit more fortified against the constant threat of cyber incursions.

Cybercriminals have actively exploited a critical vulnerability in D-Link Network Attached Storage (NAS) devices globally.

Identified as CVE-2024-3273, this remote code execution (RCE) flaw poses a significant threat to as many as 92,000 devices worldwide.

The exploit allows attackers to execute arbitrary code on vulnerable devices, potentially leading to data theft, device hijacking, and the spread of malware.

D-Link, the manufacturer of the affected NAS devices, has issued a support announcement regarding the vulnerability.

Shadowserver researchers reported that roughly 16,500 Ivanti Connect Secure and Poly Secure gateways are vulnerable to the recently reported RCE flaw CVE-2024-21894.

This week the company released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS), including CVE-2024-21894. The flaw CVE-2024-21894 (CVSS score 8.2) is a heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to the execution of arbitrary code.

Shadowserver researchers have scanned the Internet for instances vulnerable to CVE-2024-21894 and reported that about 16,500 are still vulnerable. Most of the vulnerable systems are in the US (4686 at the time of this writing), followed by Japan (2009), and UK (1032).

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.

Much of our everyday lives, from banking to turning on the lights, would be impossible if the elaborate infrastructure underpinning the Internet were unavailable. However, unlike the electrical grid or financial institutions, there’s no single entity responsible for maintaining and securing the Internet. Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding or subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.

The goal of Common Good Cyber is to find new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Supporting organizations include the Cyber Civil Defense Initiative, the Global Cyber Alliance, the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams, the Institute for Security and Technology, and the Shadowserver Foundation.

A critical Fortinet vulnerability has been actively exploited since at least March 21 and was added to CISA’s Known Exploited Vulnerability catalog on Monday.

In a security advisory on March 12, Fortinet detailed a pre-authentication SQL injection vulnerability tracked as CVE-2023-48788 or what the vendor identifies internally as FR-IG-24-007. On March 21, Fortinet updated the advisory to warn users that CVE-2023-48788 was being exploited in the wild. On Sunday, the Shadowserver Foundation, a cybersecurity nonprofit organization, revealed its internet scans detected several vulnerable instances around the world.

“We have started scanning/reporting Fortinet FortiClient EMS CVE-2023-48788 (pre-auth SQL injection) vulnerable instances. 130 vulnerable found on 2024-03-23 Top: US with 30 IPs,”

That number is potentially higher. Shadowserver noted that its scans only detect the web interface version, and it does not check port 8013 access, which is required for exploitation.

Patching is vital as Fortinet products have been increasingly targeted by threat actors. Last week, exploitation activity escalated for another critical Fortinet flaw tracked as CVE-2024-21762, two days after a proof-of-concept (PoC) exploit was published.

A sweeping vulnerability has been uncovered, leaving an estimated 167,500 instances across various networks susceptible to a Loop Denial of Service (DoS) attack. This discovery underscores the ever-present and evolving threats in the digital landscape, prompting an urgent call to action for organizations worldwide.

The vulnerability was first identified by Shadowserver, a renowned entity in the cybersecurity realm dedicated to identifying and mitigating cyber threats. Through meticulous analysis and monitoring, Shadowserver’s team stumbled upon a pattern of weakness in a staggering number of instances. This flaw, if exploited, could allow attackers to initiate a Loop DoS attack, effectively crippling the targeted systems by overwhelming them with a flood of traffic.

“Today we started sharing data on IPs vulnerable to the novel “Loop DoS” attack discovered by @CISPA. Data is based on DNS, NTP & TFTP protocol scans. Over 167 500 vulnerable instances found on 2024-03-20.”

According to a recent tweet from Shadowserver, there are over 167,500 instances that are vulnerable to the “Loop DoS” attack. In response to this discovery, Shadowserver has issued a call to action for organizations worldwide. System administrators and IT professionals must assess their networks for the identified vulnerabilities and apply necessary patches or updates.

Scans on the public web show that approximately 150,000 Fortinet FortiOS and FortiProxy secure web gateway systems are vulnerable to CVE-2024-21762, a critical security issue that allows executing code without authentication. America’s Cyber Defense Agency CISA confirmed last month that attackers are actively exploiting the flaw by adding it to its Known Exploited Vulnerabilities (KEV) catalog.

Almost a month after Fortinet addressed CVE-2024-21762, The Shadowserver Foundation announced on Thursday that it found nearly 150,000 vulnerable devices. Shadowserver’s Piotr Kijewski told BleepingComputer that their scans check for vulnerable versions, so the number of affected devices may be lower if admins applied mitigations instead of upgrading. According to Shadowserver data, most vulnerable devices, more than 24,000, are in the United States, followed by India, Brazil, and Canada.