Critical Palo Alto Networks Vulnerability

Plus CHC is getting extorted...again.

My wife and I took off last week for some much-needed travel. One of my stops was in Edinburgh, where I had a chance to say hi to my buddy and OSINT expert, Gary Ruddell. If you don’t know him, you should.

Check out his OSINT videos on YouTube or his website, where you can pick up his awesome book on Threat Intel. Should we do an OSINT challenge and see who can find out where we grabbed dinner in Edinburgh based on the picture below?

Much to my dismay, cyber threat actors did not take last week off. So today, we’re talking about:

  • Change Healthcare has another extortion demand for stolen data.

  • Another major VPN vulnerability.

  • And, of course, the most notable cyber news of the week.

-Jason

Spotlight
Why Extort Once When You Can Do It Twice?

One month ago, I wrote a post detailing ALPHV/BlackCat’s exit scam after the Change Healthcare (“CHC”) ransomware attack. As a quick recap, it’s speculated that CHC paid a $22M ransom to prevent the release of stolen data and presumably receive a decryption key. After receiving the payment, ALPHV pulled an exit scam, taking the full $22M and not paying the affiliate, the group that did the heavy lifting of stealing data and encrypting CHC.

In that post, I also said, “To complicate matters further, the affiliate who was never paid still has a copy of the 4TB of stolen data.” It doesn’t take a cybersecurity expert to see that a scorned affiliate with a copy of stolen data and received $0 from a $22M ransom payment probably won’t end well…

Fast-forward to April 8th, and the RansomHub group posted on its leak site (see below) that it had CHC’s stolen data. The group opted for a classic extortion play, though the ransom demand is unknown. If CHC doesn’t pay…again…RansomHub has threatened to sell the data to the highest bidder. How fun.

And before we start throwing out the ALPHV rebrand conspiracies, vx-underground reported that they spoke with the RansomHub group, who dispelled any rumors of being an ALPHV rebrand. Not that the name of the group matters that much.

Deep Dive
Another Major Vulnerability

I step away for one week and return to another critical vulnerability in a network device—this time, it’s Palo Alto Network’s turn. On April 10, 2024, the security firm Volexity detected suspicious network traffic coming from one of their customers' firewalls. That’s never a good thing. The next day, they found identical activity with another customer. That takes something that is never a good thing and makes it a really bad thing.

Volexity tag teamed with Palo Alto’s Product Security Incident Response Team (PSIRT) to investigate the root issue. It turns out it was a zero-day vulnerability in the PAN-OS software which runs the firewall and VPN. The zero-day allowed an unauthenticated attacker to execute remote commands as the root user. Yikes.

As the investigation continued, Volexity discovered that attacks had occurred in their customer environments as early as March 26, 2024. The activity was consistent with the attacker testing the vulnerability until they successfully executed their exploit and downloaded a payload to the device on April 10th. The payload is where things get extra fun…

The payload was a Python-based backdoor that used some cool techniques to operate. Here’s a glimpse:

  1. The attacker would request a non-existent web page that contained a specific pattern and a command to execute on the device. This would generate an error with that path that gets written to the device’s web server error log.

  2. The backdoor would parse the error log, looking for the specific pattern, extract the command, and then execute the command on the device.

  3. The output from the executed command would then be appended to a legitimate CSS file on the device, which the attacker could publicly access to view the output.

  4. To evade detection and hamper forensics, the error log entry would then be removed, and after fifteen seconds, the CSS file is restored to the previous state.

The initial foothold with that backdoor allowed the attackers a platform to dig deeper into the victims’ internal environment. Observed activities included:

  • Installed a reverse shell that allowed the attacker to execute commands directly on the device.

  • Installing tunneling malware that allowed the attacker to use the device as a gateway into the internal environment.

  • Stealing saved cookies and passwords on workstations (tactics that are very similar to infostealers)

  • Targeting all Windows users’s passwords by copying the NTDS.DIT file from Active Directory servers. That file stores hashed copies of all users’ passwords…so, yeah, bad.

The impact of this vulnerability has been limited in scope, but that won’t last long. Volexity rightly notes in their blog post that they expect the group to blitz-scale their attacks to gain as much access as possible before devices are patched. If a POC of the exploit goes public, expect other groups to tag along.

When this reaches your eyes, a hotfix patch should be released and available for immediate patching. In the meantime, organizations can temporarily disable device telemetry to mitigate the attack.

Cyber News
What Else is Happening?

🔑 LastPass raised awareness of targeted audio deep fakes that attackers used in social engineering attacks against their employees. The deep fakes impersonated the LastPass’ CEO and were used in conjunction with messages and calls on WhatsApp. Thankfully, the employee ignored the messages and reported them to the LastPass internal security team.

🛒 The cost of iPhone and Android zero-days is outpacing the cost of groceries in the US. In 2019, zero-days in Android and iOS topped $3M. In 2024, iPhone zero-days are topping $5M -$7M and up to $5M for Android.

🕵️ Even top Israeli spy chiefs make mistakes. The name of the individual leading' Israel’s 8200, a supposedly closely held secret, was leaked…by himself... It happened after he released an e-book on Amazon and used a standalone email address (not his private one) attributable to him. Oops.

😞 Sometimes smart people do dumb things. Like an ex-Amazon employee who specialized in smart contracts and used that information to steal millions from two crypto exchanges. Instead of taking a bug bounty award, they demanded more money. Some may call that extortion. It didn’t end well as law enforcement caught him, and the Department of Justice formally charged him this week.

🚗 The FBI warned that scammers are using a new narrative of unpaid tolls sent as text messages. Be on the lookout for any suspicious text messages claiming you owe money…unless it’s for the dinner money you owe your friend. In that case, don’t be a jerk.

☠️ Business intelligence and data analytics platform Sisense notified customers that “certain Sisense company information may have been publicly accessible.” It was severe enough for CISA to issue its own warning, prompting people to reset any credentials and secrets that may have been shared with Sisense.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week!

Reply

or to participate.