Not SimonApr 22, 2024

@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546

According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.

#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation

h4sh (@[email protected])

I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox. https://www.cve.org/CVERecord?id=CVE-2024-4040 If anyone disagrees with our CVSS analysis, please let me know & bring proof #CVE20244040 #CVE_2024_4040

Infosec Exchange
Show threadNot SimonApr 22, 2024

Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040

CVE Website

Not SimonApr 22, 2024

Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

cc: @serghei @campuscodi @briankrebs @jwarminsky

#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials | Microsoft Security Blog

Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.

Microsoft Security Blog
Show threadNot SimonApr 20, 2024

Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC

More on the PAN-OS CVE-2024-3400

PSIRT learned of a suspicious exfiltration attempt at a customer site. Palo Alto Network's team investigated the issue with Volexity's team.

Palo Alto Networks Blog
Not SimonApr 19, 2024

It's not a Friday without an actively exploited zero-day vulnerability (with no CVE ID) in a file transfer product. cc: @todb

#zeroday #eitw #activeexploitation #CrushFTP #vulnerability

CrushFTP warns users to patch exploited zero-day “immediately”

CrushFTP warned customers today in a private memo of an actively exploited zero-day vulnerability fixed in new versions released today, urging them to patch their servers immediately.

BleepingComputer
Show threadNot SimonApr 19, 2024

Bleeping Computer: GreyNoise and ShadowServer Foundation are reporting active exploitation of CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). The good news is that all hotfixes for vulnerable versions of PAN-OS are now released. 🔗 https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/

#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev

22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

Approximately 22,500 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw, a critical command injection vulnerability that has been actively exploited in attacks since at least March 26, 2024.

BleepingComputer
Show threadNot SimonApr 18, 2024

Zscaler observed exploitation of the Palo Alto Networks PAN-OS command injection zero-day vulnerability CVE-2024-3400 following the release of the PoC exploit code. Zscaler provides an attack flow diagram, and a technical analysis of the Upstyle backdoor and its layers. IOC provided. 🔗 https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC

A Look at CVE-2024-3400 Activity and Upstyle Backdoor Technical Analysis

Delve into CVE-2024-3400, a zero-day command-injection flaw in PAN-OS. Uncover exploitation trends in Zscaler's intelligence network and a Python-based backdoor

Not SimonApr 17, 2024

Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/

#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC

Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters | Microsoft Security Blog

Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage them for cryptomining activity.

Microsoft Security Blog
Show threadNot SimonApr 17, 2024

TrustedSec CTO Justin Elze shared CVE-2024-3400 exploit in the wild on Twitter yesterday, reports that 149.28.194.95 was attempting to exploit CVE-2024-3400

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC

Show threadNot SimonApr 17, 2024

In case you missed it, Palo Alto Networks updated their security advisory in terms of product and mitigation guidance, exploit status, and PAN-OS fix availability: 🔗 https://security.paloaltonetworks.com/CVE-2024-3400

  • Exploitation status: Proof of concepts for this vulnerability have been publicly disclosed by third parties.
  • Workarounds and mitigations: In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
  • Solution:
    • - 10.2.6-h3 (Released 4/16/24)
    • - 11.0.3-h10 (Released 4/16/24)
    • - 11.0.2-h4 (Released 4/16/24)
    • - 11.1.0-h3 (Released 4/16/24)

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept

CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurat...

Palo Alto Networks Product Security Assurance