Malicious hackers have compromised potentially thousands of organizations by exploiting two new zero-day vulnerabilities found in widely used software made by cybersecurity giant Palo Alto Networks.
Security researchers at Palo Alto Networks said Wednesday that they have observed a “limited set of exploitation activity” related to the two vulnerabilities in PAN-OS, the operating system that runs on all of Palo Alto’s next-generation firewalls. The bugs are considered zero-days because the company had no time to release patches before the bugs were exploited.
The company said it has observed exploitation of the two bugs, including CVE-2024-0012, which allows an attacker with network access to the management web interface to gain administrator privileges, while the second bug, tracked as CVE-2024-9474, allows an attacker to perform actions on the compromised firewall with higher root privileges.
When these vulnerabilities are used together, an attacker can remotely plant malicious code on affected firewalls with the highest possible privileges, allowing for deeper access to a company’s network.
Palo Alto Networks says attackers are now using their own functional exploit chaining the two flaws together to target a “limited number of device management web interfaces” exposed to the internet.
According to the Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for vulnerability exploitation, hackers have already compromised more than 2,000 affected Palo Alto Networks firewalls by leveraging the two recently patched flaws. The non-profit found that the highest number of compromised devices were located in the United States, followed by India, with hackers also exploiting firewalls across the United Kingdom, Australia, and China.
Palo Alto Networks declined to confirm how many firewalls had been compromised when asked by TechCrunch.
U.S. cybersecurity company Arctic Wolf said this week that its researchers also observed hackers exploiting the two Palo Alto firewall vulnerabilities as early as November 19 to break into customer networks, following the release of a proof-of-concept exploit.
“Upon successful exploitation, we have observed threat actors attempting to transfer tools into the environment and exfiltrate config files from the compromised devices,” said Andres Ramos, a threat intelligence researcher at Arctic Wolf, in the company’s blog post.
Palo Alto Networks released patches for the two vulnerabilities and urged organizations to patch as soon as possible. U.S. cybersecurity agency CISA has also added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which effectively orders civilian federal agencies to patch their systems within a three-week window.
According to researchers at security firm watchTowr Labs, who reverse-engineered Palo Alto’s patches, the flaws resulted from basic mistakes in the development process.
This is the latest vulnerability in recent months found in corporate security devices, such as firewalls, VPN products and remote access tools, which sit on the edge of a company’s network to function as digital gatekeepers. This is Palo Alto Networks’ second major security alert of the year, alongside flaws found in similar products developed by cybersecurity vendors Ivanti and Check Point.
Keep reading the article on Tech Crunch
The U.S. government announced charges against five individuals accused of carrying out a multi-year hacking spree targeting tech giants and cryptocurrency owners, which security researchers dubbed 0ktapus.
On Wednesday, the U.S. Department of Justice published a press release announcing the charges against the five alleged hackers: Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas; Noah Michael Urban, 20, of Palm Coast, Florida; Evans Onyeaka Osiebo, 20, of Dallas, Texas; Joel Martin Evans, 25, of Jacksonville, North Carolina; and Tyler Robert Buchanan, 22, from the United Kingdom, who was arrested in Spain earlier this year.
The press release said that the five accused hackers targeted employees at American companies with phishing text messages with the goal of stealing their credentials, which they then used to break in and steal company data, as well as cryptocurrency worth millions of dollars. The hackers also allegedly used SIM swapping attacks to steal employee’s phone numbers and get their passwords by using password reset features.
Victims mentioned in the court documents published on Wednesday include U.S. based organizations providing entertainment products, virtual currency, cloud communication platforms, and telecommunication services. The hackers allegedly stole $6.3 million in cryptocurrency from a single unnamed victim, the indictment says.
“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said U.S. Attorney Martin Estrada, as quoted in the press release.
As part of the announcement, the DOJ unsealed three court documents related to the case.
Security researchers have previously linked the alleged hackers to a prolific hacking group called 0ktapus, for their use of spoofing Okta login portals used by tech giants. The hackers targeted hundreds of companies over a months-long hacking campaign in 2022, including Twilio, Coinbase, and Doordash, and again in 2023 to target game makers, including Riot Games.
The hackers were later believed to be involved with other criminal cyberattacks under the group Scattered Spider. Ciaran McEnvoy, a spokesperson for the DOJ, confirmed to TechCrunch that the five hackers are suspected of being part of the group known as Scattered Spider.
In one of the court documents, prosecutors describe the cybercriminal gang as “a loosely organized financially motivated cybercriminal group whose members primarily target large companies and their contracted telecommunications, information technology, and business process outsourcing suppliers.”
According to one of the court documents, which cites the FBI’s investigation, Buchanan and the other hackers targeted at least 45 companies in Canada, the U.S., the U.K., and other countries.
Orban is accused of having stolen more than $800,000 in Bitcoin and Ethereum from several victims, one of the court documents says. One of the documents also mentions an “unindicted co-conspirator,” and “other co-conspirators,” suggesting there’s more suspects that have yet to be publicly accused of crimes.
The hackers are said to be part of a wider cybercriminal community referred to by researchers as “the Com,” a largely nebulous network of mostly young adults and teenagers, who are highly proficient in impersonation and social engineering techniques capable of tricking employees into handing over their corporate passwords.
The National Crime Agency did not respond to a request for comment on Buchanan’s arrest.
Carly Page contributed reporting.
Keep reading the article on Tech Crunch