Overview

Cyble honeypot sensors have detected new attack attempts on vulnerabilities in Palo Alto Networks’ web management interface and the Apache OFBiz ERP system, among dozens of other exploits picked up by Cyble sensors.

Cyble’s recent sensor intelligence report to clients examined more than 30 vulnerabilities under active exploitation by hackers and also looked at persistent attacks against Linux systems and network and IoT devices. Threat actors continue to scan for vulnerable devices for ransomware attacks and add to botnets for DDoS attacks and crypto mining.

The full reports also looked at banking malware, brute-force attacks, vulnerable ports, and phishing campaigns.

Palo Alto Networks Vulnerabilities Targeted

Cyble sensors detected attacks attempting to exploit an OS Command Injection vulnerability in the Palo Alto Networks PAN-OS management web interface.

The vulnerability, CVE-2024-9474, could be used by hackers to escalate privileges in PAN-OS. It could allow attackers who can access the PAN-OS management web interface to perform actions on the firewall with root privileges.

Palo Alto Networks issued an alert in November that CVE-2024-9474 was being exploited in conjunction with a second vulnerability, CVE-2024-0012. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to the agency’s Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-0012 is an authentication bypass vulnerability in PAN-OS that enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. The Palo Alto alert said hackers could use CVE-2024-0012 to perform administrative actions, tamper with configurations, or exploit other authenticated privilege escalation vulnerabilities such as CVE-2024-9474.

Fixes for both vulnerabilities are available, and Palo Alto said users can further reduce risk by restricting access to the management interface to only trusted internal IP addresses to prevent external access from the internet, as recommended by the company’s best practice deployment guidelines. “The vast majority of firewalls already follow Palo Alto Networks and industry best practices,” Palo Alto said.

Critical Apache OFBiz Vulnerabilities Targeted

Threat actors have also recently targeted the Apache OFBiz enterprise resource planning (ERP) system, including vulnerabilities from 2024 and 2023.

CVE-2024-38856 affects Apache OFBiz up to version 18.12.14, allowing remote, unauthenticated attackers to execute arbitrary code. The vulnerability stems from incorrect authorization, where certain endpoints don’t properly check user permissions, potentially leading to unauthorized screen rendering and exploitation. Upgrading to version 18.12.15 is strongly recommended.

CVE-2024-38856 has also been exploited in conjunction with CVE-2024-36104, an Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability in Apache OFBiz before version 18.12.14.

CVE-2023-50968 is an arbitrary file properties reading vulnerability in Apache OFBiz that continues to attract hackers’ attention. The vulnerability occurs when a user operates a URI call without authorization, which could lead to a Server-Side Request Forgery (SSRF) attack. While upgrading to version 18.12.11 would patch that vulnerability, version 18.12.15 would be preferred because of the more recent vulnerabilities.

Cyble also noted that a number of other recent attack campaigns remain active, including exploits targeting CVE-2024-7593, a vulnerability in Ivanti Virtual Traffic Manager (vTM) that Cyble reported as being under attack last month.

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

• Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list).
• Immediately patching all open vulnerabilities listed here and routinely monitoring the top Suricata alerts in internal networks.
• Continually checking for attackers’ ASNs and IPs (included in the full Cyble reports).
• Blocking Brute Force attack IPs and the targeted ports listed in the report.
• Immediately resetting default usernames and passwords to mitigate brute-force attacks and enforcing periodic changes.
• For servers, setting up strong passwords that are difficult to guess.

Conclusion

With nearly constant threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching quickly and applying mitigations where patching isn’t possible.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches.

To access full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here.

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.