Security Roundup April 2024

April 2024: Palo Alto Zero-Day Exploited, OWASP Gets Stung, Cyber Gang Crackdown and Microsoft Patch Tuesday.

Urgent Patch Required: Palo Alto Networks Discovers Critical Firewall Vulnerability

After uncovering a zero-day vulnerability in one of its widely-used security products, Palo Alto Networks is urgently pushing businesses to patch the flaw to prevent potential breaches of corporate networks by malicious hackers.

The vulnerability, CVE-2024-3400, was found in recent versions of the PAN-OS software utilised in Palo Alto’s GlobalProtect firewall systems. Palo Alto has classified this vulnerability as critical because it can grant hackers complete control over a vulnerable firewall via the internet without requiring authentication. The ease with which hackers can exploit this weakness remotely exposes numerous firms reliant on such firewalls.

Palo Alto has recommended that customers promptly update affected systems and cautioned that they are “aware of a growing number of attacks” exploiting this zero-day, a term signifying that the company had no advance notice to fix the flaw before malicious actors exploited it.

Volexity, the security firm that initially discovered and reported the vulnerability to Palo Alto, asserted that they had detected signs of malicious exploitation as early as March 26, almost two weeks before Palo Alto released the remedial update.

OWASP Foundation’s Sting After Misconfigured Server Leads to CV Data Breach

A misconfigured MediaWiki web server allowed digital snoops to buzz their way into members of the Open Web Application Security Project (OWASP) Foundation’s CVs, which contained personal information. According to the non-profit organisation, which ironically works to improve web app security, they learned of the misconfiguration and consequent data breach in late February after receiving “a few” sting operation requests.

“We recognise the significance of this breach, especially considering the OWASP Foundation’s emphasis on cybersecurity,” stated OWASP.

Names, email addresses, phone numbers, physical addresses, “and other personally identifiable information” were included in the CVs. While the good news is that these CVs typically have dates at least a decade old, that’s still a lot of people’s information – OWASP has “tens of thousands of members” spread over more than 250 chapters globally.

According to the open-source community, CVs are no longer gathered as part of the membership application process; instead, two-factor authentication is employed to safeguard member data.

To ensure this does not happen again, OWASP stated that it has disabled directory browsing, investigated the web server for additional configuration and security problems and removed all CVs from the website. Additionally, the foundation cleared CloudFlare caches and requested that the accessed material be erased from the online archive.

Global Cybercrime Crackdown: 37 Arrested in Takedown of LabHost Phishing Operation

37 people have been arrested as part of an international crackdown on LabHost, a cybercrime service used by cybercriminals to steal personal information from victims worldwide. LabHost, described as one of the leading Phishing-as-a-Service (PhaaS) providers, provided phishing pages aimed at banks, high-profile organisations and other service providers, particularly in Canada, the United States and the UK.

According to Trend Micro, LabHost also provides phishing pages for Spotify, postal services such as DHL and An Post, car toll services and insurance providers, as well as the ability for consumers to request the building of custom phishing pages for certain brands.

Between April 14 and 17, 32 more people were arrested as part of a coordinated operation headed by Europol, including four in the United Kingdom who are said to be in charge of designing and running the service.

The phishing pages, linked to phishing and smishing campaigns, are intended to impersonate banks, government institutions and other big organisations, tricking users into inputting their credentials and two-factor authentication (2FA) codes. Names and addresses, emails, dates of birth, typical security question answers, card numbers, passwords and PINs were among the personal information taken.

According to the U.K. Metropolitan Police, LabHost has received around £1 million in payments from illicit customers since its launch. It is anticipated that the business received 480,000 card numbers, 64,000 PINs and at least one million passwords for websites and other online services.

Microsoft Patch Tuesday

As our partners at CrowdStrike reported, Microsoft’s newest patch Tuesday for April 2024 includes security patches for 150 vulnerabilities. There are three critical remote code execution vulnerabilities (CVE-2024-21322, CVE-2024-21323 and CVE-2024-29053), all associated with Microsoft Defender for IoT, Microsoft’s protection platform for IoT devices.