From Digital Age to Nano Age. WorldWide.

Tag: bug

Robotic Automations

Palo Alto Networks' firewall bug under attack brings fresh havoc to thousands of companies | TechCrunch

Palo Alto Networks urged companies this week to patch against a newly discovered zero-day vulnerability in one of its widely used security products, after malicious hackers began exploiting the bug to break into corporate networks.

The vulnerability is officially known as CVE-2024-3400 and was found in the newer versions of the PAN-OS software that runs on Palo Alto’s GlobalProtect firewall products. Because the vulnerability allows hackers to gain complete control of an affected firewall over the internet without authentication, Palo Alto gave the bug a maximum severity rating. The ease with which hackers can remotely exploit the bug puts thousands of companies that rely on the firewalls at risk from intrusions.

Palo Alto said customers should update their affected systems, warning that the company is “aware of an increasing number of attacks” that exploit this zero-day — described as such because the company had no time to fix the bug before it was maliciously exploited. Adding another complication, Palo Alto initially suggested disabling telemetry to mitigate the vulnerability, but said this week that disabling telemetry does not prevent exploitation.

The company also said there is public proof-of-concept code that allows anyone to launch attacks exploiting the zero-day.

The Shadowserver Foundation, a nonprofit organization that collects and analyzes data on malicious internet activity, said its data shows there are more than 156,000 potentially affected Palo Alto firewall devices connected to the internet, representing thousands of organizations.

Security firm Volexity, which first discovered and reported the vulnerability to Palo Alto, said it found evidence of malicious exploitation going back to March 26, some two weeks before Palo Alto released fixes. Volexity said a government-backed threat actor that it calls UTA0218 exploited the vulnerability to plant a backdoor and further access its victims’ networks. The government or nation state that UTA0218 works for is not yet known.

This Palo Alto’s zero-day is the latest in a raft of vulnerabilities discovered in recent months targeting corporate security devices — like firewalls, remote access tools and VPN products. These devices sit at the edge of a corporate network and function as digital gatekeepers, but have a propensity to contain severe vulnerabilities that render their security and defenses moot.

Earlier this year, security vendor Ivanti fixed several critical zero-day vulnerabilities in its VPN product, Connect Secure, which allows employees remote access to a company’s systems over the internet. At the time, Volexity linked the intrusions to a China-backed hacking group, and mass exploitation of the flaw quickly followed. Given the widespread use of Ivanti’s products, the U.S. government warned federal agencies to patch their systems and the U.S. National Security Agency said it was tracking potential exploitation across the U.S. defense industrial base.

And the technology company ConnectWise, which makes the popular screen sharing tool ScreenConnect used by IT admins for providing remote technical support, fixed vulnerabilities that researchers deemed “embarrassingly easy to exploit” and also led to the mass exploitation of corporate networks.

Read more on TechCrunch:

Software Development in Sri Lanka

Robotic Automations

A crypto wallet maker's warning about an iMessage bug sounds like a false alarm | TechCrunch

A crypto wallet maker claimed this week that hackers may be targeting people with an iMessage “zero-day” exploit — but all signs point to an exaggerated threat, if not a downright scam.

Trust Wallet’s official X (previously Twitter) account wrote that “we have credible intel regarding a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any link. High-value targets are likely. Each use raises detection risk.”

The wallet maker recommended iPhone users to turn off iMessage completely “until Apple patches this,” even though no evidence shows that “this” exists at all.

The tweet went viral, and has been viewed over 3.6 million times as of our publication. Because of the attention the post received, Trust Wallet hours later wrote a follow-up post. The wallet maker doubled down on its decision to go public, saying that it “actively communicates any potential threats and risks to the community.”

Trust Wallet, which is owned by crypto exchange Binance, did not respond to TechCrunch’s request for comment. Apple spokesperson Scott Radcliffe declined to comment when reached Tuesday.

As it turns out, according to Trust Wallet’s CEO Eowyn Chen, the “intel” is an advertisement on a dark web site called CodeBreach Lab, where someone is offering said alleged exploit for $2 million in bitcoin cryptocurrency. The advert titled “iMessage Exploit” claims the vulnerability is a remote code execution (or RCE) exploit that requires no interaction from the target — commonly known as “zero-click” exploit — and works on the latest version of iOS. Some bugs are called zero-days because the vendor has no time, or zero days, to fix the vulnerability. In this case, there is no evidence of an exploit to begin with.

A screenshot of the dark web ad claiming to sell an alleged iMessage exploit. Image Credits: TechCrunch

RCEs are some of the most powerful exploits because they allow hackers to remotely take control of their target devices over the internet. An exploit like an RCE coupled with a zero-click capability is incredibly valuable because those attacks can be conducted invisibly without the device owner knowing. In fact, a company that acquires and resells zero-days is currently offering between $3 to $5 million for that kind of zero-click zero-day, which is also a sign of how hard it is to find and develop these types of exploits.

Contact Us

Do you have any information about actual zero-days? Or about spyware providers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

Given the circumstances of how and where this zero-day is being sold, it’s very likely that it is all just a scam, and that Trust Wallet fell for it, spreading what people in the cybersecurity industry would call FUD, or “fear uncertainty and doubt.”

Zero-days do exist, and have been used by government hacking units for years. But in reality, you probably don’t need to turn off iMessage unless you are a high-risk user, such as a journalist or dissident under an oppressive government, for example.

It’s better advice to suggest people turn on Lockdown Mode, a special mode that disables certain Apple device features and functionalities with the goal of reducing the avenues hackers can use to attack iPhones and Macs.

According to Apple, there is no evidence anyone has successfully hacked someone’s Apple device while using Lockdown Mode. Several cybersecurity experts like Runa Sandvik and the researchers who work at Citizen Lab, who have investigated dozens of cases of iPhone hacks, recommend using Lockdown Mode.

For its part, CodeBreach Lab appears to be a new website with no track record. When we checked, a search on Google returned only seven results, one of which is a post on a well-known hacking forum asking if anyone had previously heard of CodeBreach Lab.

On its homepage — with typos — CodeBreach Lab claims to offer several types of exploits other than for iMessage, but provides no further evidence.

The owners describe CodeBreach Lab as “the nexus of cyber disruption.” But it would probably be more fitting to call it the nexus of braggadocio and naivety.

TechCrunch could not reach CodeBreach Lab for comment because there is no way to contact the alleged company. When we attempted to buy the alleged exploit — because why not — the website asked for the buyer’s name, email address, and then to send $2 million in bitcoin to a specific wallet address on the public blockchain. When we checked, nobody has so far.

In other words, if someone wants this alleged zero-day, they have to send $2 million to a wallet that, at this point, there is no way to know who it belongs to, nor — again — any way to contact.

And there is a very good chance that it will remain that way.

Software Development in Sri Lanka