PAN-OS vulnerability can bypass authentication on NGFW devices

US Cyber Command has warned users to immediately patch the new critical vulnerability in PAN-OS. Is it really such a major security concern? 10/10 CVSSv3 score means that you definitely should not waste any more time… Hacking groups are likely to start exploiting this bug soon.

PAN-OS with a critical flaw that lets hackers bypass authentication on next-generation firewalls

Palo Alto Networks addressed a critical vulnerability, tracked as CVE-2020-2021, in the operating system (PAN‑OS) that powers its next-generation firewalls (NGFW) that could allow unauthenticated network-based attackers to bypass authentication.

When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled, improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. But some devices have been configured to be vulnerable. Owners who are using third-party identity providers such as using Duo authentication on PAN-OS devices, or third-party authentication solutions from Centrify, Trusona, or Okta – were instructed to set up this exact particular configuration.

10 CVSSv3 vulnerability in PAN-OS

The PAN-OS vulnerability has been rated as a critical severity and received a 10 out of 10 in CVSSv3 base score. A 10/10 CVSSv3 score means the vulnerability is both easy to exploit as it doesn’t require advanced technical skills… The bug could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices.

The vulnerability impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue doesn’t affect PAN-OS 7.1.

The good news is that there have been no attacks in the wild observed. Still, users should inspect the authentication logs, the User-ID logs, ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above) to determine if their installs have been compromised. The presence of unusual usernames or source IP addresses in the logs and reports are indicators of a compromise.

Just a few hours after the Palo Alto Networks PAN-OS vulnerability announcement US Cyber Command spoke about the severity of the issue and possible risks. According to security experts, there is a very high possibility that foreign state-sponsored hacking groups are likely to exploit a bug. All affected devices should be patched immediately.

Read more: 12

Holy Guacamole! Apache opened for total control of remote footprint

Apache Guacamole, a popular, free and open source remote access system, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol (RDP). Admins should update their systems (yes, there is a patch available) to avoid attacks bent on stealing information or remote code-execution. 

Guacamole has more than 10 million downloads of its docker container globally and is also embedded into other products like Jumpserver Fortress, Quali, and Fortigate. It’s even more popular now, with large numbers of employees working from home.

Researchers at Check Point began evaluating this software in mid-February as the company prepared to transfer over 5000 employees to remote work during the early stages of the COVID-19 pandemic. They quickly found problems with the open-source gateway. If it connects to a compromised computer inside the network, attackers can use that machine to take control of the entire gateway with potentially disastrous results, they warned.

“Once in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization,” explained Eyal Itkin, researcher from Check Point. “When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network.”

They found several critical reverse RDP vulnerabilities that the destination machine could use to control the gateway, along with new vulnerabilities in FreeRDP, which is Apache’s free implementation of the proprietary RDP.

Between them, these vulnerabilities allow for Heartbleed-style information disclosure along with memory corruption. Chaining these together created arbitrary read and write capabilities on the gateway. The researchers then used a privilege elevation attack to gain control of the system.

An official patch is available since June 28 (version 1.2.0). Please note that all versions of Guacamole released before January 2020 are using vulnerable versions of FreeRDP, so it is important to patch now. 

Read more

Hacker ransoms almost half of MongoDB databases and threatens to contact GDPR authorities

A hacker has uploaded ransom notes on 22,900 MongoDB databases left exposed online without a password. This number accounts for roughly 47% of all MongoDB databases accessible online. 

The hacker is using an automated script to scan for misconfigured MongoDB databases, wiping their content, and leaving a ransom note behind asking for a 0.015 bitcoin (~$140) payment. He is giving companies two days to pay and threatens to leak their data and contact the local General Data Protection Regulation (GDPR) enforcement authority to report data leak.

While some of these databases appear to be test instances, some production systems were also hit and have now had staging data deleted.

These “MongoDB wiping & ransom” attacks aren’t new, per-se. Actually, it’s just the latest phase of a series of attacks that started back in December 2016.

Most of the time, these servers get exposed online after administrators follow incorrect MongoDB configuration tutorials, make honest mistakes when configuring their systems, or use server images that come packed with a misconfigured MongoDB system out of the box.

For server admins looking to secure their MongoDB servers the proper way, the MongoDB Security page is the best place to start for getting the right advice.

Read more

Old Lenovo NAS device under fire – hackers are wiping off data and leaving ransom notes

The attacks – carried on by Cl0ud SecuritY; hacker group – have been happening for at least a month. Targeted are only LenovoEMC or Iomega network-attached storage devices… They became easy prey simply because these old models are exposing their management interface on the internet without any protection. If not properly secured, this web interface can allow a remote user to upload and delete folders from the NAS.

Searches on Shodan show numerous Iomega NAS devices connected directly to the Internet.

Hackers left ransom notes behind asking owners to pay between $200 up to $275 to have their data back. The files are being deleted rather than encrypted and hidden somewhere on the drive. BleepingComputer reports that one of the victims has had success using file recovery software after attaching the NAS device to their PC via a USB port. But that approach is not successful in every case.

QNAP and Synology NAS devices targeted as well

Iomega NAS devices users are not the only ones being targeted by ransom(ware) attacks. The eCh0raix ransomware is targeting QNAP NAS devices. After numerous users reports, vendor provided an advisory on how to lockdown and secure their NAS devices. Synology also released an advisory recently due to users reporting brute-force attacks.

Better safe than sorry… 

Unless you require public access to your files, all NAS devices should be secured by a firewall and only accessible via a VPN. If else, make sure to secure your device with a strong password.

Read more

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. PROMETHIUM extends global reach with StrongPity3 APT (Talos Intelligence)
2. Files Stolen from 945 Websites Discovered on Dark Web (Dark Reading)
3. University of California SF Pays Ransom After Medical Servers Hit (Dark Reading)
4. Google removes 25 Android apps caught stealing Facebook credentials (ZDNet)
5. Microsoft unveils new Windows 10 Start Menu with theme-aware tiles (BleepingComputer)
6. Microsoft releases emergency update to fix two serious Windows flaws (WeLiveSecurity)
7. Attackers Compromised Dozens of News Websites as Part of Ransomware Campaign (Dark Reading)
8. ThiefQuest ransomware is a file-stealing Mac wiper in disguise (SecurityWeek
9. New EvilQuest macOS ransomware is a smokescreen for other threats (Help Net Security
10. Police take down encrypted criminal chat platform EncroChat (ZDNet)