PAN-OS Critical Flaw Allows DDoS Attack Execution

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery and patching of a critical vulnerability in Palo Alto’s PAN-OS software (CVE-2024-3393), which enabled DDoS attacks; APT41 exploiting PHP frameworks with their new ‘Glutton’ backdoor; the Apache Software Foundation (ASF) addressing a critical SQL injection vulnerability (CVE-2024-45387) in Apache Traffic Control that allowed arbitrary SQL command execution; the use of legitimate tools like Microsoft Teams and AnyDesk to propagate DarkGate malware; and the addition of CVE-2024-12356 in BeyondTrust Software to CISA’s KEV list. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. CVE-2024-3393: Palo Alto Urges Immediate Update to Fix DoS Flaw

Palo Alto Networks has highlighted a high-severity vulnerability (CVE-2024-3393) in its PAN-OS software, which could lead to Denial-of-Service (DoS) attacks. The flaw allows unauthenticated attackers to exploit the DNS Security feature by sending malicious DNS packets, causing firewalls to repeatedly reboot and potentially enter maintenance mode, severely disrupting operations. Firewalls with DNS Security logging enabled are particularly at risk.

To mitigate the issue, Palo Alto Networks has released fixes for various PAN-OS versions, except for PAN-OS 11.0, which has reached end-of-life. For those unable to upgrade immediately, disabling DNS Security logging is recommended as a temporary workaround. Users of Strata Cloud Manager or Prisma Access are advised to seek support for disabling DNS logging.

To ensure security, Palo Alto Networks urges users to update to the latest software versions, monitor for signs of exploitation, and re-enable DNS Security logging post-upgrade to maintain visibility.

2. Winnti Hackers Exploit PHP Frameworks with Their New Glutton Backdoor

The Chinese state-sponsored hacking group Winnti (APT41) has developed a new modular PHP backdoor named Glutton, active since December 2023, targeting organizations in China, the U.S., and even other cybercriminals. Known for cyberespionage and financial theft, Winnti leverages Glutton to attack IT services, social security agencies, web app developers, and other cybercriminal systems. Glutton exploits popular PHP frameworks like ThinkPHP, Yii, and Laravel and tools like Baota, achieving persistence, in-memory execution, and extensive command functionality. It also uses Trojanized software to infect cybercriminals’ systems, extracting sensitive data through tools like HackBrowserData.

Despite its advanced capabilities, Glutton’s encryption and stealth weaknesses suggest it’s still evolving. Organizations should secure PHP frameworks, monitor for unauthorized file changes, restrict C2 communication, and proactively hunt for unusual PHP processes. Regular updates and multi-factor authentication (MFA) are critical to defend against this evolving threat.

3. Critical Alert: Patch SQL Injection Vulnerability in Apache Traffic Control Now

The Apache Software Foundation (ASF) has patched a critical SQL injection vulnerability (CVE-2024-45387) in Apache Traffic Control, rated 9.9/10 on the CVSS scale. The flaw allows privileged users with specific roles (“admin,” “federation,” “operations,” “portal,” or “steering”) to execute arbitrary SQL commands via malicious PUT requests, potentially leading to data exfiltration, modification, or full database compromise.

The vulnerability, present in versions 8.0.0 through 8.0.1, stems from inadequate input sanitization and requires valid credentials for exploitation, limiting the attack surface to internal or compromised accounts. ASF urges users to upgrade to version 8.0.2 immediately.

To mitigate risks, organizations should restrict access to privileged roles, enable logging for suspicious PUT requests, deploy web application firewalls (WAFs), and implement multi-factor authentication (MFA). Regular software updates, security training, and vulnerability assessments are recommended to enhance overall security posture.

4. DarkGate Malware Spread via Microsoft Teams and Remote Access Manipulation

A new social engineering campaign has been uncovered, leveraging Microsoft Teams to deploy DarkGate malware. Attackers impersonated a client to deceive victims into granting remote access. The campaign combined phishing emails with Teams interactions, convincing targets to install AnyDesk, a legitimate remote access tool, to deploy DarkGate malware and other payloads like credential stealers. Although the attack was blocked before data exfiltration, it highlights cybercriminals’ evolving use of trusted platforms for malware propagation.

DarkGate, active since 2018 and now offered as Malware-as-a-Service (MaaS), enables credential theft, keylogging, screen capture, and more. Attackers used AutoIt scripts for execution, dropping suspicious files, creating persistent registry entries, and connecting to command-and-control (C2) servers.

Recommendations to mitigate this threat include enforcing multi-factor authentication (MFA), restricting unauthorized remote tools, enhancing email and collaboration platform security, deploying advanced endpoint protection, and vetting third-party suppliers. Employee awareness remains key to thwarting such sophisticated attacks.

5. Critical Vulnerability in BeyondTrust Software Added to CISA’s KEV List

CISA has added CVE-2024-12356, a critical command injection vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS), to its KEV catalog due to active exploitation. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary commands as a site user. Additionally, BeyondTrust disclosed CVE-2024-12686, a medium-severity vulnerability (CVSS 6.6) that permits attackers with administrative privileges to inject and execute commands. Both vulnerabilities affect PRA and RS versions 24.3.1 and earlier, with patched versions starting from BT24-10-ONPREM1 or BT24-11-ONPREM1. Organizations are urged to update to the latest versions, secure administrative accounts, audit self-hosted installations, and restrict internet-facing access to PRA and RS environments. Regularly reviewing logs for unusual activity and following BeyondTrust advisories for future updates are critical steps to mitigate these vulnerabilities.