Palo Alto Networks Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/palo-alto-networks/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 12 Jan 2023 16:32:00 +0000 en-US hourly 1 https://wordpress.org/?v=74290 200474804 Hackers Bypass CAPTCHA on GitHub to Automate Account Creation https://gridinsoft.com/blogs/hackers-bypass-captcha/ https://gridinsoft.com/blogs/hackers-bypass-captcha/#respond Thu, 12 Jan 2023 16:32:00 +0000 https://gridinsoft.com/blogs/?p=13177 The South African hack group Automated Libra is looking for new approaches to use the resources of cloud platforms for cryptocurrency mining: hackers bypass CAPTCHA on GitHub. Let me remind you that we also wrote that Hackers force users to solve CAPTCHA, and also that New hCaptcha bypass method may not affect Cloudflare’s security. According… Continue reading Hackers Bypass CAPTCHA on GitHub to Automate Account Creation

The post Hackers Bypass CAPTCHA on GitHub to Automate Account Creation appeared first on Gridinsoft Blog.

]]>

The South African hack group Automated Libra is looking for new approaches to use the resources of cloud platforms for cryptocurrency mining: hackers bypass CAPTCHA on GitHub.

Let me remind you that we also wrote that Hackers force users to solve CAPTCHA, and also that New hCaptcha bypass method may not affect Cloudflare’s security.

According to Palo Alto Networks, in recent times, attackers are using a new system to solve CAPTCHAs, abusing CPU resources more aggressively for mining, and also mixing freejacking with Play and Run techniques.

For the first time, Automated Libra operations were discovered by Sysdig analysts last fall. Then the researchers gave a name to the found malware cluster PurpleUrchin and suggested that this group specializes in freejacking, that is, they abuse free or time-limited access to various services (GitHub, Heroku and Buddy) to mine cryptocurrency at their expense.

Now Palo Alto Networks experts have studied the activity of this group in more detail, analyzing more than 250 GB of collected data and collecting more information about the infrastructure and methods of attackers.

According to experts, the automated campaigns of these attackers are abusing CI/CD services, including GitHub, Heroku, Buddy, and Togglebox, to create new accounts and run cryptocurrency miners in containers. But if Sysdig analysts only identified 3,200 malicious accounts belonging to PurpleUrchin, then Palo Alto Networks reports that since August 2019, hackers have created and used more than 130,000 accounts on the mentioned platforms.

In addition, it turned out that the attackers used containers not only for mining itself, but also for trading the mined cryptocurrency on various platforms, including ExchangeMarket, crex24, Luno and CRATEX.

At the same time, the researchers confirm that freejacking is an important aspect of Automated Libra operations, but write that Play and Run tactics are also of great importance. This term usually refers to attackers who use paid resources to make a profit (in this case, using cryptocurrency mining), but refuse to pay bills until their accounts are frozen. Once locked out, they drop the accounts and create new ones.

As a rule, Automated Libra uses stolen personal data and bank card information to create premium accounts on VPS and CSP platforms, leaving a trail of unpaid debts.

It appears that the attackers reserved entire servers or cloud instances for themselves, and sometimes used CSP services such as AHP. They did this to make it easier for themselves to host the web servers they needed to monitor and track their massive mining operations.experts write.

In such cases, attackers use as many server resources as possible before losing access. This is in stark contrast to the freejacking tactic, where the miner tries to remain invisible and uses only a tiny fraction of the server’s capacity.

In addition, according to experts, an interesting feature of the Automated Libra attacks is the CAPTCHA solution system, which helps hackers create many accounts on GitHub automatically. To do this, the attackers use ImageMagic and convert the CAPTCHA images to their RGB equivalents and then use “identify” to determine the asymmetry of the red channel.

Hackers bypass CAPTCHA
Hackers bypass CAPTCHA

The values obtained in this way are used to rank the images in ascending order, and the automated tool selects the image that leads the resulting list. Usually, that is exactly what is correct.

The post Hackers Bypass CAPTCHA on GitHub to Automate Account Creation appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-bypass-captcha/feed/ 0 13177
Cuba Ransomware Operators Use Previously Unknown ROMCOM RAT https://gridinsoft.com/blogs/cuba-ransomware-operators-use-previously-unknown-romcom-rat/ https://gridinsoft.com/blogs/cuba-ransomware-operators-use-previously-unknown-romcom-rat/#respond Mon, 15 Aug 2022 14:48:46 +0000 https://gridinsoft.com/blogs/?p=9904 Palo Alto Networks reports that the Cuba ransomware operators have begun to use new tactics in their attacks, including the use of a previously unknown remote access trojan (RAT) called ROMCOM RAT. Let me remind you that we reported that New Cuba Ransomware Variant Involves Double-Extortion Scheme. In their report, the researchers talk about the… Continue reading Cuba Ransomware Operators Use Previously Unknown ROMCOM RAT

The post Cuba Ransomware Operators Use Previously Unknown ROMCOM RAT appeared first on Gridinsoft Blog.

]]>
Palo Alto Networks reports that the Cuba ransomware operators have begun to use new tactics in their attacks, including the use of a previously unknown remote access trojan (RAT) called ROMCOM RAT.

Let me remind you that we reported that New Cuba Ransomware Variant Involves Double-Extortion Scheme.

In their report, the researchers talk about the hack group Tropical Scorpius, which, apparently, is a “partner” of the Cuba ransomware. Let me remind you that this ransomware has been known to security specialists since 2019. He was most active at the end of 2021, when he was linked to attacks on 60 organizations in five critical infrastructure sectors (including financial and public sector, healthcare, manufacturing and IT), as a result of which hackers received at least $ 43.9 million in the form of ransoms.

The last notable Cuba update was recorded in the first quarter of 2022, when malware operators switched to an updated version of the ransomware with finer settings and added quTox support to communicate with their victims.

As Palo Alto Networks analysts now say, the aforementioned Tropical Scorpius group uses a standard Cuba payload that hasn’t changed much since 2019. One of the few updates in 2022 involves the use of a legitimate but invalid Nvidia certificate (previously stolen from the company by Lapsus$ hackers) to sign the kernel driver, which is used in the initial stages of infection. The task of this driver is to detect processes belonging to security products and kill them to help attackers avoid detection.

Cuba and ROMCOM RAT

Tropical Scorpius uses a local privilege escalation tool based on an exploit for CVE-2022-24521, which was patched in April 2022.

The next attack phase of Tropical Scorpius involves loading ADFind and Net Scan to perform a lateral movement. Along with this, the attackers deploy a tool on the victim’s network that helps them obtain cached Kerberos credentials. Also, hackers can use the tool to exploit the notorious Zerologon vulnerability (CVE-2020-1472) to obtain domain administrator privileges.

At the end of the attack, Tropical Scorpius operators finally deploy ROMCOM RAT malware on the victim network, which communicates with command and control servers through ICMP requests performed through Windows API functions.

ROMCOM RAT supports ten main commands:

  1. get information about the connected disk;
  2. get lists of files for the specified directory;
  3. run the reverse shell svchelper.exe in the %ProgramData% folder;
  4. upload data to the management server as a ZIP file using IShellDispatch to copy files;
  5. download data and write to worker.txt in the %ProgramData% folder;
  6. delete the specified file;
  7. delete the specified directory;
  8. create a process with PID spoofing;
  9. process only the ServiceMain received from the control server and “sleep” for 120,000 ms;
  10. traverse running processes and collect their IDs.

Experts note that Tropical Scorpius hackers compiled the latest version of ROMCOM and uploaded it to VirusTotal on June 20, 2022. This version contains ten additional commands, giving attackers more control over executing and downloading files and terminating processes.

In addition, the new version supports receiving additional payloads from the C&C server, such as the Screenshooter screenshot tool.

Cuba and ROMCOM RAT

The researchers conclude that with the emergence of Tropical Scorpius, the Cuba ransomware is turning into a more serious threat, although in general this ransomware cannot boast of a large number of victims.

The post Cuba Ransomware Operators Use Previously Unknown ROMCOM RAT appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cuba-ransomware-operators-use-previously-unknown-romcom-rat/feed/ 0 9904
Amazon Patch for Log4Shell allowed privilege escalation https://gridinsoft.com/blogs/amazon-patch-for-log4shell/ https://gridinsoft.com/blogs/amazon-patch-for-log4shell/#respond Fri, 22 Apr 2022 20:09:30 +0000 https://gridinsoft.com/blogs/?p=7496 Palo Alto Networks warns that a patch released by Amazon to protect AWS from high-profile issues in Apache Log4j, including the Log4Shell vulnerability, poses a threat to users. The patch can be used to escape the container and escalate privileges, allowing an attacker to take control of the underlying host. Let me remind you that… Continue reading Amazon Patch for Log4Shell allowed privilege escalation

The post Amazon Patch for Log4Shell allowed privilege escalation appeared first on Gridinsoft Blog.

]]>
Palo Alto Networks warns that a patch released by Amazon to protect AWS from high-profile issues in Apache Log4j, including the Log4Shell vulnerability, poses a threat to users.

The patch can be used to escape the container and escalate privileges, allowing an attacker to take control of the underlying host.

Let me remind you that in December last year, shortly after cybersecurity researchers alarmed about problems in Apache Log4j, Amazon released emergency patches that fix bugs in various environments, including servers, Kubernetes, Elastic Container Service (ECS) and Fargate. The purpose of hotpatches was to quickly fix vulnerabilities while system administrators transited their applications and services to a secure version of Log4j.

Let me also remind you that soon after the discovery of vulnerabilities, real attacks on the Log4Shell were recorded. Moreover, the experts also found out that the Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions.

However, as Palo Alto Networks has now found out, the patches were not very successful and could, among other things, lead to the capture of other containers and client applications on the host.

In addition to containers, unprivileged processes can use a patch to elevate privileges and execute code as root.experts say.

The experts showed a video demonstrating an attack on the supply chain with the malicious container image and usage of an earlier patch. Similarly, compromised containers can be used to “escape” and take over the underlying host. Palo Alto Networks decided not to share details about this exploit yet, so that attackers could not use it.

Any process executing a binary named java – inside or outside the container – is considered a candidate for a hotpatch. There, the malicious container could include a malicious binary named java to trick the installed hotpatch into calling it with elevated privileges.the analysts say.

In the next step, elevated privileges could be used by a malicious java process to escape the container and take full control of the compromised server.

Users are advised to update to the corrected version of the hotpatch as soon as possible in order to prevent exploitation of related bugs.

The post Amazon Patch for Log4Shell allowed privilege escalation appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/amazon-patch-for-log4shell/feed/ 0 7496
WEF warned of impending cyber pandemic https://gridinsoft.com/blogs/wef-warned-of-impending-cyber-pandemic/ https://gridinsoft.com/blogs/wef-warned-of-impending-cyber-pandemic/#respond Wed, 03 Feb 2021 16:50:18 +0000 https://blog.gridinsoft.com/?p=5065 The WEF experts warned about the impending cyber pandemic and called for new approaches to risk management associated with the development of next generation technologies. By 2025, next-generation technologies such as ubiquitous connectivity, artificial intelligence, quantum computing or new approaches to identity and access management could overwhelm the defences and lead to a global cyber… Continue reading WEF warned of impending cyber pandemic

The post WEF warned of impending cyber pandemic appeared first on Gridinsoft Blog.

]]>
The WEF experts warned about the impending cyber pandemic and called for new approaches to risk management associated with the development of next generation technologies.

By 2025, next-generation technologies such as ubiquitous connectivity, artificial intelligence, quantum computing or new approaches to identity and access management could overwhelm the defences and lead to a global cyber pandemic, experts at the World Economic Forum’s Cybersecurity Centre predict.

The World Economic Forum’s Centre for Cybersecurity has created a community of security and technology leaders to identify future global risks from next-generation technology in order to avert a cyber pandemic.

Next generation technologies pose new risks to the world, and their impact is not fully understood at this stage. There is an urgent need for collective action, policy intervention, and improved accountability for government organizations and private enterprises. Without this intervention, it will be difficult to maintain confidence in new technologies, on which the future development of the world depends.the WEF website says.

In this regard, the WEF, together with the Oxford Martin School at the University of Oxford, launched an initiative called Future Series: Cybercrime 2025, the main goal of which is to identify the approaches required to manage cyber risks associated with major technology trends.

More than 150 global cybersecurity experts from information security companies, research institutions and other organizations, including Palo Alto Networks, Mastercard, KPMG, Europol, ENISA and NIST, are involved in the program.

There is already a global capacity gap in cybersecurity (professionals and all personnel), and as new technologies emerge, the cybersecurity skills gap will widen.

Safety is not seen as an integral part of innovative technologies and, as a result, there is not enough investment in support (knowledge, leadership, research) and incentives (market forces, regulation) for the safe development of new technologies. The existing capabilities and technologies are not suitable for this purpose, therefore, preventing threats and responding to incidents will require new approaches.the WEF experts believe.

Among the recommended approaches, the WEF lists reducing the global capacity gap in cybersecurity, creating a workforce, and moving away from fragmented approaches to cybersecurity that lead to interdependencies and confusion of policies and technologies.

If you want to be afraid the future even more, read our post: Apocalypse Now: experts presented a new type of cyber-biological attack.

The post WEF warned of impending cyber pandemic appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/wef-warned-of-impending-cyber-pandemic/feed/ 0 5065
PgMiner botnet attacks poorly protected PostgreSQL DBs https://gridinsoft.com/blogs/pgminer-botnet-attacks-poorly-protected-postgresql-dbs/ https://gridinsoft.com/blogs/pgminer-botnet-attacks-poorly-protected-postgresql-dbs/#respond Mon, 14 Dec 2020 22:19:32 +0000 https://blog.gridinsoft.com/?p=4845 Palo Alto Networks has discovered the PgMiner botnet, which attacks and breaks into poorly protected PostgreSQL DBs in order to install miners. A new Linux-based cryptocurrency mining botnet exploits PostgreSQL’s Remote Code Execution (RCE) vulnerability, which compromises cryptojacking database servers. Cryptojacking (or simply malicious coin mining) is a common way for malware authors to monetize… Continue reading PgMiner botnet attacks poorly protected PostgreSQL DBs

The post PgMiner botnet attacks poorly protected PostgreSQL DBs appeared first on Gridinsoft Blog.

]]>
Palo Alto Networks has discovered the PgMiner botnet, which attacks and breaks into poorly protected PostgreSQL DBs in order to install miners.

A new Linux-based cryptocurrency mining botnet exploits PostgreSQL’s Remote Code Execution (RCE) vulnerability, which compromises cryptojacking database servers.

Cryptojacking (or simply malicious coin mining) is a common way for malware authors to monetize their operations.

Palo Alto Networks has named the new cryptocurrency mining botnet “PGMiner” after its delivery channel and mining mode.

We believe PGMiner is the first cryptocurrency mining botnet that is delivered via PostgreSQL. It is notable that malware actors have started to weaponize not only confirmed CVEs, but also disputed ones.the researchers said.

The PgMiner botnet operates according to a well-known and well-established by criminals scheme: it randomly selects a range of IP addresses (for example, 18.xxx.xxx.xxx) and then enumerates all parts of this range looking for systems with an open port 5432 (PostgreSQL).

PostgreSQL is one of the most commonly used open-source relational database management systems (DBMS) for production environments. According to DB-Engines, PostgreSQL is ranked fourth among all database management systems (DBMS) as of November 2020.

If the botnet detects an active PostgreSQL system, it moves from the scanning phase to a brute-force attack, during which it tries a long list of passwords in an attempt to guess the login and password of the default PostgreSQL account (postgres).

If the database owner forgot to disable this account or did not change the password, hackers gain access to the database and then use the COPY from PROGRAM function (CVE-2019-9193 was associated with it, though many in the PostgreSQL community refused to recognize as a bug) to expand access and reach the server and its OS. Having established control over the infected system, the PgMiner operators deploy a miner on the infected server for mining the Monero cryptocurrency.

According to the researchers, the botnet is currently able to install miners only on Linux MIPS, ARM and x64 platforms.

PgMiner attacks PostgreSQL DBs

Experts also mention that the PgMiner control server, from which hackers control infected bots, is hosted in Tor, and the botnet’s codebase resembles another similar malware – SystemdMiner.

Let me remind you that hackers cracked European supercomputers and forced them to mine cryptocurrency.

The post PgMiner botnet attacks poorly protected PostgreSQL DBs appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pgminer-botnet-attacks-poorly-protected-postgresql-dbs/feed/ 0 4845
US cyber command warned about dangerous vulnerability in PAN-OS https://gridinsoft.com/blogs/us-cyber-command-warned-about-dangerous-vulnerability-in-pan-os/ https://gridinsoft.com/blogs/us-cyber-command-warned-about-dangerous-vulnerability-in-pan-os/#respond Wed, 01 Jul 2020 16:16:59 +0000 https://blog.gridinsoft.com/?p=3991 The US cyber command warned that in PAN-OS was discovered a dangerous vulnerability and that soon government hack groups are likely to start using it. PAN-OS is an operating system running on firewalls and corporate VPN devices, manufactured by Palo Alto Networks. The cause for concern is really serious: the CVE-2020-2021 vulnerability is one of… Continue reading US cyber command warned about dangerous vulnerability in PAN-OS

The post US cyber command warned about dangerous vulnerability in PAN-OS appeared first on Gridinsoft Blog.

]]>
The US cyber command warned that in PAN-OS was discovered a dangerous vulnerability and that soon government hack groups are likely to start using it.

PAN-OS is an operating system running on firewalls and corporate VPN devices, manufactured by Palo Alto Networks.

The cause for concern is really serious: the CVE-2020-2021 vulnerability is one of those rare errors that get 10 out of 10 points on the CVSSv3 vulnerability rating scale. Such score means that the vulnerability is easy to use, its operation does not require serious technical knowledge, and it can also be used remotely via the Internet, and attackers may not have any “fulcrum” on the target device.

“From a technical point of view, the vulnerability is an authentication bypass and allows an outsider to gain access to the device without providing credentials. After successfully exploiting the problem, the attacker can change the PAN-OS settings. In essence, this can be used to disable access control policies in the company’s firewalls and VPN solutions, after which the devices will become practically useless”, — said USCYBERCOM representatives.

I also note that Trump declared a state of emergency due to cyberattacks on US energy systems.

Palo Alto Networks specialists have already prepared their own security bulletin, which says that for the successful operation of the problem a number of conditions must be met.

In particular, PAN-OS devices must have a specific configuration so that the error can be used. So, the option Validate Identity Provider Certificate should be disabled, and SAML (Security Assertion Markup Language) on the contrary enabled.

dangerous vulnerability in PAN-OS

Devices that can be configured this way are vulnerable to attack. These include:

  • GlobalProtect Gateway;
  • GlobalProtect Portal;
  • GlobalProtect Clientless VPN;
  • Authentication and Captive Portal;
  • PAN-OS firewalls (PA and VM series) and Panorama web interfaces;
  • Prisma Access Systems.

Fortunately, by default, the above settings are set to other values. However, CERT/CC expert Will Dorman warns that when using third-party identity providers in many PAN-OS operator guides, it is recommended to stay attached to this configuration. For example, when using Duo authentication or third-party solutions from Centrify, Trusona and Okta.

“As a result, despite the fact that at first glance the vulnerability does not look too dangerous and requires certain conditions to be met, in fact, many devices are configured exactly as described above, especially due to the widespread use of Duo in the corporate and public sectors”, – told in Palo Alto Networks.

According to Troy Mursch, co-founder of Bad Packets, the current number of vulnerable systems is approximately 4,200.

“Of the 58,521 Palo Alto public servers (PAN-OS) scanned by Bad Packets, only 4,291 hosts use some kind of SAML authentication”, — write the expert.

He also clarifies that the scan conducted by his company helped determine whether authentication with SAML is enabled, but in this way you cannot find out the status of the Validate Identity Provider Certificate.

Currently, information security experts are urging all owners of PAN-OS devices to immediately check the configurations of their devices and install patches released by Palo Alto Networks as soon as possible.

Let me remind you that according to the report of Radware company specialists, government hackers attacked more often in 2019-2020.

The post US cyber command warned about dangerous vulnerability in PAN-OS appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/us-cyber-command-warned-about-dangerous-vulnerability-in-pan-os/feed/ 0 3991
Hoaxcalls botnet attacks Grandstream devices https://gridinsoft.com/blogs/hoaxcalls-botnet-attacks-grandstream-devices/ https://gridinsoft.com/blogs/hoaxcalls-botnet-attacks-grandstream-devices/#respond Thu, 16 Apr 2020 16:28:44 +0000 https://blog.gridinsoft.com/?p=3678 Palo Alto Networks experts warn that the Hoaxcalls botnet attacks the recently fixed vulnerability in the Grandstream UCM6200 series devices. The Hoaxcalls botnet is built on the source code of the Gafgyt/Bashlite malware and is mainly used for DDoS attacks. “The malware is built on the Gafgyt/Bashlite malware family codebase, which we have dubbed “Hoaxcalls”,… Continue reading Hoaxcalls botnet attacks Grandstream devices

The post Hoaxcalls botnet attacks Grandstream devices appeared first on Gridinsoft Blog.

]]>
Palo Alto Networks experts warn that the Hoaxcalls botnet attacks the recently fixed vulnerability in the Grandstream UCM6200 series devices.

The Hoaxcalls botnet is built on the source code of the Gafgyt/Bashlite malware and is mainly used for DDoS attacks.

“The malware is built on the Gafgyt/Bashlite malware family codebase, which we have dubbed “Hoaxcalls”, based on the name of the IRC channel used for command and control (C2) communications, and is capable of launching a variety of DDoS attacks based on the C2 commands received.”, — write Palo Alto Networks researchers.

The issue in question has the identifier CVE-2020-5722 and is rated as critical (9.8 points on the CVSS vulnerability rating scale). The vulnerability is related to the HTTP interface in devices of IP-PBX Grandstream.

Tenable experts who discovered this bug described it as an unauthenticated remote SQL injection.

“The vulnerability can be exploited using a specially crafted HTTP request, which will eventually allow an attacker to execute shell commands with root privileges (versions prior to 1.0.19.20) or inject HTML code into emails to recover passwords (versions prior to 1.0.20.17 )”, — said Tenable researchers.

The root of the problem is that forgotten password function in the UCM6200 web interface accepts the username as input and looks for it in the SQLite database. By substituting a certain line of code for username, the attacker can perform SQL injection to create a reverse shell for remote code execution or add arbitrary HTML code to the password recovery email that will be sent to the user.

According to Palo Alto Networks experts, for more than a week the Hoaxcalls botnet has been actively exploiting this vulnerability, and then it uses infected devices for DDoS attacks. The botnet also attacks Draytek Vigor routers, infecting them through another critical vulnerability (CVE-2020-8515).

“Vulnerabilities CVE-2020-8515 and CVE-2020-5722 are both rated as critical, in particular because of their ease of operation. After using [these vulnerabilities], an attacker could execute arbitrary commands on the device. It is not surprising that hackers expanded their arsenals with these exploits and began to wreak havoc on the IoT sphere,” – say the experts.

[box]Mitigation

Hoaxcalls, a new DDOS botnet, is actively exploiting two vulnerabilities which have wide exposure in environments around the world. These same vulnerabilities are also actively being exploited in additional attacks, according to other security research organizations. Unfortunately, they are also easily exploited and lead to remote code execution; as such we advise everyone to patch as soon as possible.[/box]

Recall that the criminal colleagues of Hoaxcalls users – Lemon Duck malware operators also attack IoT-devices.

The post Hoaxcalls botnet attacks Grandstream devices appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hoaxcalls-botnet-attacks-grandstream-devices/feed/ 0 3678