Tag Archive for: Reveals

Palo Alto’s Unit 42 team reveals new wave of PAN-OS firewall hack attempts

/in


PAN-OS firewalls are facing an “increasing number of attacks”, though so far, signs of active command execution are rare.

Palo Alto’s PAN-OS firewalls are coming under increasing attack following the company’s disclosure of a command injection vulnerability on 12 April.

A few days later, the Australian Signals Directorate’s Australian Cyber Security Centre circulated a critical alert over the vulnerability, warning Australian organisations using Palo Alto’s firewalls to “act now” to mitigate the vulnerability, while Palo Alto said it was working on a hotfix.

Now, Palo Alto’s Unit 42 has shared more details of how the vulnerability – CVE-2024-3400, which could allow a threat actor to run arbitrary code on affected PAN-OS firewalls – is being actively exploited.

The big brains at Unit 42 have broken down the exploitation attempts into four discrete groups.

At level zero, we have threat actors simply probing customer networks and failing to make any kind of access. Unit 42 expected these attempts to have “little to no immediate impact” on organisations, and simply applying the available hotfix should remedy the situation.

Unit 42 rates level one as threat actors actively testing the vulnerability. In this case, “a zero-byte file has been created and is resident on the firewall. However, there is no indication of any known unauthorised command execution.”

Again, applying Palo Alto’s hotfix should do the trick.

In both cases, Unit 42 believes resetting the impacted device is unnecessary, as there is no indication of active compromise or data exfiltration.

At level two, however, Unit 42 is beginning to see “potential exfiltration” of data.

“A file on the device has been copied to a location accessible via a web request, though the file may or may not have been subsequently downloaded,” Unit 42 said in a blog post. “Typically, the file we have observed being copied is running_config.xml.”

Unit 42’s advice in this case is to both install the hotfix and perform a private data reset.

“Private data reset clears all logs and reverts the configuration to factory defaults,” Unit 42 said. “The system will restart…

Source…

Google Reveals Android Security Update That Even Beats iPhone

/in


The clear differences between Android and iPhone are narrowing quickly—and the latest Google update has just reduced that gap even further…

It’s already clear that Android 15 will be a huge step forwards for users on the security and privacy front. The gap between iPhone and Android is closing fast, with little to choose between features and hardware. Apple’s privacy and security credentials have remained one of the last standouts—but Google is catching up.

Just as with the recent revelation that Google will provide Pixel users with warnings when their cellular devices might have been tracked or intercepted—beating iPhone at its own game, we have just seen another security innovation previewed.

In fact, the latest revelation to come from the Android 15 Beta currently doing the rounds, actually beats iPhone with a neat new security feature.

MORE FROM FORBESGoogle’s New Cellular Tracking Defense Revealed For Pixel UsersBy Zak Doffman

This update is app quarantining. One of the areas where Android still lags iPhone is app defense—malware and device infection. Google provides Play Protect and has shored up its Play Store, but rogue apps still manage to find a way through.

Quarantining is a halfway house between letting a potentially dangerous app run wild on a device and deleting it completely. Instead, Android could quarantine an app—almost like putting it into a sandbox, where it’s contained and unable to access data or functionality that might harm the user, without resorting to deletion.

This doesn’t seem like such a material change. But because deletion is so drastic, Play Protect needs a high bar before it does so automatically. That isn’t the case with quarantining, meaning the system can act more quickly and more often.

And while this will initially be seen as soft deletion, it could evolve into a setting whereby Android can act to block apps with onerous permissions or which seem to be acting out of character. Perhaps, eventually, users could even select a general privacy/risk level and have the system act accordingly.

Source…

Google to launch a new ‘anti-virus’ system for apps, reveals Android 15 beta release

/in


Android 15, set to debut on Pixel smartphones later this year, has revealed intriguing features through developer previews and public beta releases. Among these features is a potential new tool aimed at aiding users in identifying and containing malicious apps on their devices.

Feature Unveiled in Android 15 Beta:

The latest beta of Android 15 has unveiled a prospective feature that could chnage app security on the platform. Reported by Android Authority, this feature allows system apps like Google Play Services or the Play Store to isolate and impose restrictions on detected apps, akin to antivirus programs on Windows.

Functionality and Implementation:

The proposed functionality involves quarantining apps, severely limiting their capabilities once identified as potential threats. While the code for this feature exists within Android 15, it remains dormant pending activation. If implemented, quarantined apps would face restrictions such as being barred from displaying notifications, hiding their windows, stopping activities, and preventing device ringing.

Also read: Looking for a smartphone? To check mobile finder

Restricted Access and Potential Limitations:

The envisaged “QUARANTINE_APPS” permission would be exclusively granted to apps signed by Google’s certificate, effectively restricting the quarantine function to the Play Store or Google Play Services. Notably, despite quarantine, apps would remain visible in the app drawer, albeit greyed out. Tapping on such icons would inform users of their unavailability and offer options for restoration.

Uncertainties Surrounding Implementation:

While the feature was initially observed in a developer build of Android 14 in 2022, its fate in Android 15 remains uncertain. Should Google proceed with its integration, it’s likely that only designated Google entities would wield the power to quarantine apps. Such a tool could prove invaluable in cases where suspicious app behavior is flagged by Google’s Play Protect malware scanner.

As Android 15 inches closer to its official release, the potential inclusion of a…

Source…

Research reveals a resurfaced botnet targeting end-of-life devices

/in


Research from the Black Lotus Labs team at Lumen Technologies has identified multi-year efforts to target end-of-life (EoL) and IoT devices. Small home and small office routers are a particular target of this campaign, which is associated with an updated version of malware known as TheMoon.

“As we’ve expanded the types of devices that have operating systems in them, we haven’t kept up with the lessons learned from desktop and server computing, namely that automatic updates are the norm. This problem is exacerbated by consumers using devices for much longer periods of time than manufacturers want,” says John Bambenek, President at Bambenek Consulting. “By using security updates as leverage for buying new products, the net result is infected devices that are used in cybercrime. Criminals have all the time in the world to be patient, they are already netting a strong cash flow and there are more infectable devices than they have time to exploit.”

TheMoon emerged in 2014 and has been operating quietly ever since. Between January and February of 2024, it has grown to more than 40,000 bots across 88 countries. Many of these bots are deployed as the foundation of a cybercriminal-focused proxy service called Faceless. 

Faceless is a malicious service, offering anonymity services to cybercriminals for a negligible price. Malicious actors utilizing Faceless services can divert their traffic to hide their origins. 

Jason Soroko, the Senior Vice President of Product at Sectigo, says, “Routers and other networking equipment that use passwords have been easy victims to pray and spray attacks for years. It is unfortunate that stronger forms of authentication are not common. What’s new here is the usage of proxy networks for C2 traffic obfuscation.  It shows that de-anonymizing Tor and VPN traffic is not only happening, but has been successfully used against attackers.”

Source…