Over 2,000 Palo Alto Firewalls Hacked Exploiting Patched Zero-Day Vulnerabilities
Hackers Breach US Firm Using Wi-Fi in Novel ‘Nearest Neighbor Attack’
Meta Removes Over 2 Million Accounts Linked to Pig Butchering Scams
Google’s New Free Cybersecurity Certificate Prepares Students for Jobs in Just Six Months
This is Cyber Security Today. I’m your host, Jim Love
Over 2,000 Palo Alto Firewalls Hacked Exploiting Patched Zero-Day Vulnerabilities
Hackers have exploited two recently patched zero-day vulnerabilities to compromise over 2,000 Palo Alto Networks firewalls, according to reports from Shadowserver and Palo Alto Networks.
The first vulnerability, CVE-2024-0012, allows attackers to bypass authentication in the PAN-OS management web interface, granting administrative access. The second, CVE-2024-9474, is a privilege escalation flaw that enables attackers to execute commands with root privileges. Palo Alto Networks disclosed the potential for remote code execution (RCE) linked to these flaws earlier this month.
A coordinated attack chaining these vulnerabilities has been observed, with attackers dropping malware and running unauthorized commands on compromised devices. According to Palo Alto Networks, many of the attacks originated from IP addresses associated with anonymous VPN services. The company’s Unit 42 team believes with high confidence that a functional exploit chain is publicly available, potentially enabling further attacks.
Earlier this year, the company’s customers also had to patch another maximum severity and actively exploited PAN-OS firewall vulnerability (CVE-2024-3400) that impacted over 82,000 devices.
Palo Alto Networks advises customers to secure firewall management interfaces by restricting access to trusted internal IP addresses, aligning with its best practice deployment guidelines. “Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses,” the company said.
While Palo Alto Networks estimates a “very small number” of devices are affected, Shadowserver has tracked over 2,700 vulnerable firewalls, with approximately 2,000 confirmed as compromised. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch their firewalls by December 9.
Hackers Breach US Firm Using Wi-Fi in Novel ‘Nearest Neighbor Attack’
Russian state-sponsored hackers, known as APT28 or Fancy Bear, pulled off a highly creative cyberattack, exploiting Wi-Fi networks from thousands of miles away. This new tactic, dubbed the “nearest neighbor attack,” combined cunning strategy with technical precision to breach a U.S. firm involved in Ukraine-related work.
Here’s how it unfolded: Using a technique called password spraying, they gained access credentials to a target company’s Wi-Fi network. But there was a catch—while multi-factor authentication (MFA) blocked them from using those credentials over the internet, the target’s Wi-Fi didn’t require MFA for access.
And the hackers were thousands of miles away. So this could have been a dead end. But the attackers got innovative. They found a nearby company, within Wi-Fi range of their ultimate target, hacked into that network and found a device that had both wired and wireless connections. This device became their bridge. The hackers used RDP to control that nearby device and it logged into the target’s Wi-Fi.
Once inside the target network, the hackers maintained a low profile by relying on native Windows tools. They were able to successfully exfiltrate data they were looking for, in this case information about projects related to Ukraine.
According to cybersecurity firm Volexity, which uncovered the breach, APT28 also exploited a Windows Print Spooler vulnerability (CVE-2022-38028) to escalate privileges and run their payloads.
This vulnerability was identified in April 2024 in a Microsoft report, which helped connect the dots to the Russian threat group.
What makes this attack remarkable is its ingenuity. By chaining together multiple compromises and leveraging devices within Wi-Fi range, the hackers circumvented MFA without physical proximity to the target.
This tactic not only highlights vulnerabilities in corporate Wi-Fi networks but also challenges assumptions about how far attackers will go to gain “close access.”
The lesson? Wi-Fi networks need the same level of protection as internet-facing systems. MFA, device restrictions, and continuous monitoring are essential to closing gaps that sophisticated attackers will inevitably exploit.
Meta Removes Over 2 Million Accounts Linked to Pig Butchering Scams
On our weekend show, David Shipley pointed out that although a lot of our attention goes, deservedly, to things like Ransomware and other compromises, Fraud is still one of the biggest issues for individuals and companies.
And an indication of how big that problem is, Meta has removed more than 2 million accounts tied to pig butchering and other scams from its platforms this year, targeting operations that exploit vulnerable users with deceptive schemes. Many of these accounts originate from Southeast Asian countries, including Myanmar, Laos, Cambodia, and the Philippines, as well as the United Arab Emirates.
The scams often stem from criminal hubs that lure job seekers with fake job offers. Once recruited, individuals are coerced into working as online scammers, often under the threat of physical abuse. The term “pig butchering” refers to financial investment scams that involve prolonged deception, where victims are manipulated into depositing money into fraudulent platforms promising fake returns.
The FBI’s 2023 Internet Crime Report highlights the scale of the problem, noting a 38% rise in investment fraud losses, reaching $4.57 billion in 2023. These scams use tactics like “spray and pray,” where scammers send generic messages to large numbers of users in hopes of finding victims. Those who respond are drawn into a web of deceit involving fake investment platforms with falsified returns, making withdrawals nearly impossible.
Meta advises users to stay vigilant by enabling two-factor authentication, using selfie verification to secure stolen accounts, and treating unsolicited communications with caution. Avoid any scenario on social media that involves unsolicited money requests or offers promising unrealistic returns.
And while many of these attacks rob individuals and not companies, we need to remember that an employee in financial distress due to a fraud is an issue that affects us corporately as well. And of course, some of these frauds directly attack companies.
Google’s New Cybersecurity Certificate Prepares Students for Jobs in Just Six Months
And finally, for those who want to expand their skills sets, but don’t have extra money, or just want to have a risk free way of seeing if they are suitable, Google has introduced a FREE Cybersecurity Professional Certificate designed to prepare students for entry-level roles in the fast-growing cybersecurity field, with or without a college degree. Offered through Coursera, the program features eight courses that can be completed in six months.
The certificate program teaches key skills, including identifying and mitigating cyber risks, using Security Information and Event Management (SIEM) tools, and protecting networks and data. Students also gain hands-on experience with Python, Linux, and SQL. A new addition to the program includes six videos on applying artificial intelligence (AI) in cybersecurity, covering topics such as detecting vulnerabilities and prioritizing alerts.
Students can access the courses for free, but if they want a certificate they can take the course for$49 per month after a 7-day free trial.
At an estimated completion time of six months, the total cost is approximately $300. Upon earning the credential, graduates can add it to their LinkedIn profiles and resumes, and U.S.-based students gain access to a network of over 150 employers, including American Express, Walmart, and Google, committed to considering certificate holders for open positions.
According to Coursera, this certificate equips students for roles like cybersecurity analyst and security operations centre (SOC) analyst.
There’s a link in the show notes to the free course, to the Coursera program which charges a fee and a link to Open Culture where if you look, you can find a number of free courses on security, computing and AI.
That’s our show for today.
You can find links to reports and other details in our show notes at technewsday.com. We welcome your comments, tips and the occasional bit of constructive criticism at editorial@technewsday.ca
I’m your host, Jim Love, thanks for listening.