Palo Alto’s Unit 42 team reveals new wave of PAN-OS firewall hack attempts

/in


PAN-OS firewalls are facing an “increasing number of attacks”, though so far, signs of active command execution are rare.

Palo Alto’s PAN-OS firewalls are coming under increasing attack following the company’s disclosure of a command injection vulnerability on 12 April.

A few days later, the Australian Signals Directorate’s Australian Cyber Security Centre circulated a critical alert over the vulnerability, warning Australian organisations using Palo Alto’s firewalls to “act now” to mitigate the vulnerability, while Palo Alto said it was working on a hotfix.

Now, Palo Alto’s Unit 42 has shared more details of how the vulnerability – CVE-2024-3400, which could allow a threat actor to run arbitrary code on affected PAN-OS firewalls – is being actively exploited.

The big brains at Unit 42 have broken down the exploitation attempts into four discrete groups.

At level zero, we have threat actors simply probing customer networks and failing to make any kind of access. Unit 42 expected these attempts to have “little to no immediate impact” on organisations, and simply applying the available hotfix should remedy the situation.

Unit 42 rates level one as threat actors actively testing the vulnerability. In this case, “a zero-byte file has been created and is resident on the firewall. However, there is no indication of any known unauthorised command execution.”

Again, applying Palo Alto’s hotfix should do the trick.

In both cases, Unit 42 believes resetting the impacted device is unnecessary, as there is no indication of active compromise or data exfiltration.

At level two, however, Unit 42 is beginning to see “potential exfiltration” of data.

“A file on the device has been copied to a location accessible via a web request, though the file may or may not have been subsequently downloaded,” Unit 42 said in a blog post. “Typically, the file we have observed being copied is running_config.xml.”

Unit 42’s advice in this case is to both install the hotfix and perform a private data reset.

“Private data reset clears all logs and reverts the configuration to factory defaults,” Unit 42 said. “The system will restart…

Source…

GPT-4 can exploit zero-day security vulnerabilities all by itself, a new study finds

/in


A hot potato: GPT-4 stands as the newest multimodal large language model (LLM) crafted by OpenAI. This foundational model, currently accessible to customers as part of the paid ChatGPT Plus line, exhibits notable prowess in identifying security vulnerabilities without requiring external human assistance.

Researchers recently demonstrated the ability to manipulate (LLMs) and chatbot technology for highly malicious purposes, such as propagating a self-replicating computer worm. A new study now sheds light on how GPT-4, the most advanced chatbot currently available on the market, can exploit extremely dangerous security vulnerabilities simply by examining the details of a flaw.

According to the study, LLMs have become increasingly powerful, yet they lack ethical principles to guide their actions. The researchers tested various models, including OpenAI’s commercial offerings, open-source LLMs, and vulnerability scanners like ZAP and Metasploit. They found that advanced AI agents can “autonomously exploit” zero-day vulnerabilities in real-world systems, provided they have access to detailed descriptions of such flaws.

In the study, LLMs were pitted against a database of 15 zero-day vulnerabilities related to website bugs, container flaws, and vulnerable Python packages. The researchers noted that more than half of these vulnerabilities were classified as “high” or “critical” severity in their respective CVE descriptions. Moreover, there were no available bug fixes or patches at the time of testing.

The study, authored by four computer scientists from the University of Illinois Urbana-Champaign (UIUC), aimed to build on previous research into chatbots’ potential to automate computer attacks. Their findings revealed that GPT-4 was able to exploit 87 percent of the tested vulnerabilities, whereas other models, including GPT-3.5, had a success rate of zero percent.

UIUC assistant professor Daniel Kang highlighted GPT-4’s capability to autonomously exploit 0-day flaws, even when open-source scanners fail to detect them. With OpenAI already working on GPT-5, Kang foresees “LLM agents” becoming potent tools for democratizing vulnerability exploitation and cybercrime among script-kiddies…

Source…

Hackers Were in Change Healthcare 9 Days Before Attack

/in


Hackers were reportedly in the networks of UnitedHealth Group’s Change Healthcare unit for days before launching their ransomware strike.

They gained entry to the networks on Feb. 12, using compromised credentials on an application that allows staff to remotely access systems, The Wall Street Journal (WSJ) reported Monday (April 22).

During the nine days they were in the system before launching the attack on Feb. 21, they may have been able to steal “significant” amounts of data, Seeking Alpha reported Monday, citing a WSJ article.

Change Healthcare posted its first update reporting connectivity issues Feb. 21, saying that “some applications are currently unavailable” and that the company was triaging the issue.

On April 16, UnitedHealth Group CEO Andrew Witty said during an earnings call that the cyberattack cost the company $872 million.

Witty said that the incident “was straight out an attack on the U.S. health system and designed to create maximum damage,” adding: “I think we’ve got through that very well in terms of the remediation and the build back to functionality.”

In the wake of that attack, the federal government announced it is offering a $10 million reward to help identify the people behind the organization that launched the attack: the ransomware-as-a-service group ALPHV BlackCat.

In addition, U.S. Sen. Mark R. Warner, D-Va., introduced a bill that would accelerate Medicare payments to healthcare providers that have suffered a cyberattack.

The bill, the “Health Care Cybersecurity Improvement Act of 2024,” is meant to incentivize cybersecurity in the healthcare industry.

“The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game,” Warner said in a March 22 press release announcing the introduction of the bill. “This legislation would provide some important financial incentives for providers and vendors to do so.”

PYMNTS Intelligence has found that 82% of eCommerce merchants endured cyber or data breaches in the last year. Forty-seven percent of those merchants said the breaches resulted in both lost revenue and lost…

Source…

Exploitation of vulnerability affecting Palo Alto… – NCSC.GOV.UK – National Cyber Security Centre

/in



Exploitation of vulnerability affecting Palo Alto… – NCSC.GOV.UK  National Cyber Security Centre

Source…