Weekly Security News – 29th April 2024

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Palo Alto Networks Shares Remediation Advice for Hacked Firewalls

Palo Alto release advice on firewalls that are vulnerable to a critical zero-day exploit (CVE-2024-3400) that potentially grants attackers full control. This vulnerability, suspected to be used by a state-sponsored group, was leveraged in limited attacks since April 12th, 2024. Palo Alto has released patches for all affected versions of PAN-OS, the operating system for their firewalls. Remediation steps depend on the severity of the attack. All users should update PAN-OS. In cases of attempted exploitation or potential data exfiltration, a private data reset is recommended. For the worst-case scenario of interactive command execution, a factory reset is necessary (be aware this destroys forensic data). The number of vulnerable internet-exposed devices is decreasing, but immediate action is crucial to secure your Palo Alto firewalls.

State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

A new cyberespionage campaign dubbed “ArcaneDoor” by Cisco Talos targeted Cisco network devices. This sophisticated attack, believed to be carried out by a state-sponsored actor (UAT4356), exploited two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to gain access to target systems. The attackers deployed custom malware (Line Dancer and Line Runner) to steal data, manipulate configurations, and move laterally within the network.

Cisco has released patches for these vulnerabilities, and critical infrastructure is advised to apply them immediately. This incident highlights the growing focus of cyberattacks on network perimeter devices, traditionally lacking advanced security solutions. Organizations should prioritize keeping these devices updated, properly configured, and closely monitored to minimize the risk of such intrusions.

Cyber Attacks

MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days

A foreign state-sponsored hacker infiltrated a research network (NERVE) operated by MITRE in early January. The attacker exploited two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Ivanti VPN devices to gain initial access. They then bypassed multi-factor authentication and moved laterally within the network, potentially aiming to steal data or disrupt operations. MITRE took NERVE offline upon discovering the breach and is investigating further. While there’s no evidence of impact on core MITRE systems or partners, this incident highlights the dangers of zero-day vulnerabilities and the need for robust security measures, especially for critical infrastructure. The vulnerabilities were also exploited to target CISA, potentially affecting thousands.


Five Eyes Agencies Release New AI Security Guidance

Governments from the US, UK, Canada, Australia, and New Zealand (Five Eyes) collaborated on a cybersecurity guide for deploying external AI systems securely. This guide is particularly useful for organizations working with high-risk AI environments.

The guidance outlines best practices across three key areas: securing the deployment environment, continuously protecting the AI system itself, and ensuring secure operation and maintenance. Securing the environment involves measures like strong governance, robust architecture, and network protection. Protecting the AI system entails validation, API security, behavior monitoring, and safeguarding model data. Finally, secure operation and maintenance require strict access controls, user training, regular testing, and disaster recovery plans.

The emphasis is on “secure by design” principles, where developers prioritize security throughout the AI system’s lifecycle. This is the first such guidance from the NSA’s newly launched Artificial Intelligence Security Center (AISC). The full document offers detailed recommendations for organizations deploying external AI systems.

New Android Trojan ‘SoumniBot’ Evades Detection with Clever Tricks

A new Android Trojan named SoumniBot targets South Korean users by exploiting weaknesses in how Android processes app manifests. This malware is particularly difficult to detect because it uses obfuscation techniques in the manifest file, which is typically used to analyze app behavior. SoumniBot uses three techniques:

  1. Using an invalid compression method to make unpacking difficult.
  2. Misrepresenting the manifest file size to bypass validation.
  3. Including long namespaces to overload analysis tools.

Once installed, SoumniBot steals a variety of data including contacts, messages, photos, and even looks for digital signing certificates used by Korean banks. This malware highlights the need for stricter validation in Android’s manifest parsing process to prevent such obfuscation techniques.

Scroll to Top