Critical Alert: Over 2,000 Palo Alto Devices Compromised in Active Exploitation Campaign

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of “Bootkitty,” the first known UEFI bootkit targeting Linux systems, which bypasses Secure Boot using self-signed certificates and loads malicious ELF binaries through the init process. Additionally, a critical vulnerability (CVE-2024-11680) in the ProjectSend file-sharing application has been actively exploited since September 2024, allowing arbitrary PHP code execution and deployment of web shells. Another significant incident is the critical remote code execution flaw (CVE-2023-28461) in Array Networks’ SSL VPN products, allowing attackers to manipulate HTTP headers for unauthorized code execution or filesystem access. The Palo Alto Networks firewall vulnerabilities (CVE-2024-0012 and CVE-2024-9474) have also seen exploitation, allowing attackers to bypass authentication and execute commands with root privileges. These flaws have been actively weaponized since early 2024, affecting over 2,700 devices, particularly in the U.S. and India. The Mysterious Elephant (APT-K-47) group has targeted regions like Pakistan using spear-phishing campaigns with Hajj-themed lures, exploiting vulnerabilities to deliver Asyncshell malware, which bypasses protections through HTTPS C2 channels and GRUB patches. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Critical Alert: Over 2,000 Devices Compromised in Active Exploitation Campaign

Cybersecurity researchers have identified two critical zero-day vulnerabilities in Palo Alto Networks’ firewalls: an authentication bypass (CVE-2024-0012) and a privilege escalation flaw (CVE-2024-9474), affecting over 2,700 devices primarily in the U.S. and India. These flaws allow attackers to gain administrator access and execute commands as root, leading to malware deployment such as PHP-based web shells in an operation dubbed “Operation Lunar Peek.” To mitigate these threats, it is recommended to apply security patches immediately, restrict management interfaces to trusted internal IPs, and isolate these interfaces on separate VLANs. Deploying IDS/IPS to monitor for unusual activity, enabling comprehensive logging, and updating incident response playbooks are also crucial measures. Federal agencies are mandated to patch by December 9, 2024, as the vulnerabilities are actively being exploited, and attackers are using anonymized IPs for scanning and compromise. Regularly testing firewall response procedures can further strengthen security posture.

2. Spear-Phishing Alert: APT-K-47 Uses Hajj-Related Decoys to Spread Malware 

The Mysterious Elephant (APT-K-47), a South Asia-based threat actor, has been targeting regions like Pakistan through spear-phishing campaigns using Hajj-themed lures. Their attacks involve malicious CHM files to deliver payloads, such as Asyncshell and ORPCBackdoor, exploiting vulnerabilities like CVE-2023-38831 (a WinRAR flaw). They have evolved their tactics by shifting from TCP to HTTPS for command-and-control (C2) communications and employing disguised service requests for better evasion. To mitigate these threats, users should be educated on spear-phishing techniques, particularly those involving Hajj-related lures. Organizations should deploy advanced email filtering and block malicious C2 communications. Regular patching of vulnerabilities like CVE-2023-38831 and updating endpoint security is essential. Monitoring for unusual activities involving CHM files or PowerShell commands, and sharing threat intelligence can further bolster defenses. Ensuring a strong defense-in-depth strategy can help increase resilience against similar sophisticated attacks.

3. Active Exploitation Alert: CISA Urges Immediate Patching of Array Networks SSL VPNs

A critical remote code execution vulnerability (CVE-2023-28461) in Array Networks’ SSL VPN products (AG and vxAG running ArrayOS 9.x) is being actively exploited by attackers who manipulate HTTP headers to execute code or access filesystems without authentication. Despite patches being released in March 2023, many organizations using older versions are still vulnerable, and CISA has urged immediate action to address this flaw by December 16, 2024. To mitigate these risks, it is essential to update to version 9.4.0.484 or later, or apply CLI mitigation commands if updating is not feasible. Testing these commands in a controlled environment is recommended to evaluate potential disruptions. Organizations should plan a transition to ArrayOS 10.x versions for improved security, maintain robust logging, educate staff on recognizing compromise signs, and ensure timely security updates. Regular backups and an effective incident response plan are also crucial to minimize risks in case of exploitation.

4. Bootkitty Unveiled as the First UEFI Bootkit Targeting Linux

Cybersecurity researchers have discovered a proof-of-concept (PoC) UEFI bootkit, named Bootkitty, targeting Linux systems. Unlike traditional UEFI bootkits that target Windows, Bootkitty poses a new threat by disabling Linux kernel signature verification and loading unknown ELF binaries via the init process. The bootkit can bypass UEFI Secure Boot using a self-signed certificate if an attacker has installed their own certificate, patching GRUB bootloader functions for persistence. A related unsigned kernel module, BCDropper, provides rootkit-like capabilities, such as hiding files, processes, and opening network ports. Although named “BlackCat,” there is no connection yet to the ALPHV/BlackCat ransomware group.

To mitigate Bootkitty, ensure UEFI Secure Boot is enabled, though attackers could still use self-signed certificates if they gain access. Implement monitoring for unauthorized kernel modules and ELF binaries, use file integrity checks for critical boot components, and maintain updated endpoint protection. Regular malware analysis and educating administrators on unauthorized certificate risks are also critical to counteract potential attacks.

5. CVE-2024-11680: Critical Vulnerability in ProjectSend Under Active Exploitation

A critical vulnerability (CVE-2024-11680, CVSS: 9.8) in the ProjectSend file-sharing application allows attackers to execute arbitrary PHP code on unpatched servers. The vulnerability, caused by improper authorization checks, enables attackers to modify configurations and deploy web shells, with active exploitation observed since September 2024. Although patches were released in August 2024 (r1720) and later versions (r1750), analysis shows that only 1% of approximately 4,000 exposed ProjectSend servers are running the secure version.

To mitigate this threat, update to the latest patched version (r1750) immediately, and investigate for signs of compromise, such as web shells in the upload/files/ directory. Restrict server access to trusted IPs, use VPNs for additional security, and enable logging to monitor unauthorized activities. Hardening the server and conducting regular audits are also essential for reducing vulnerabilities. Immediate action is crucial to prevent data theft, server compromise, and other potential attacks.