April 2024 Threat Tracking: Record High For Security Vulnerabilities

April 2024 has compounded another record breaking month for CVE disclosure on top of the last. In this month’s threat tracking report we will investigate several new actively exploited vulnerabilities and quickly review the cyber breach of US R&D giant MITRE. The report will also uncover how end-of-life (EOL) products can have a detrimental impact on an organization’s cybersecurity posture and how to manage the associated risks.

MITRE Exploited Via Ivanti Secure Connect Vulnerabilities

The MITRE Corporation is a not-for-profit organization established in 1958, that operates multiple federally funded research and development centers (FFRDCs) to support the US national defense, cybersecurity, healthcare, aviation, and more. MITRE also maintains several core cybersecurity frameworks such as MITRE ATT&CK, D3FEND, and vulnerability resources including the Common Vulnerabilities and Exposures (CVE) database, the Common Weakness and Enumeration (CWE), and the Common Attack Path Enumeration (CAPEC).

A recent cyber breach of MITRE shows that even the most cyber savvy organizations are not immune to targeted attacks from Advanced Persistent Threats (APTs). Initial access to one of MITRE’s research networks was gained via two Ivanti Connect Secure VPN service vulnerabilities; CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). We previously published a full description of these vulnerabilities which can both be detected by Greenbone’s vulnerability tests. After initial access, attackers were able to pivot to adjacent VMware infrastructure [TA0109] using stolen session tokens [T1563] to bypass multi-factor authentication and access admin accounts.

If it can happen to MITRE it can happen to any organization, but patching known actively exploited vulnerabilities is a critical cybersecurity activity that all organizations need to place strong emphasis on.

Operation MidnightEclipse: Exploited PaloAlto Zero Day

On April 10 2024, exploitation of a yet-undiscovered zero-day vulnerability in the GlobalProtect feature of PaloAlto PAN-OS was detected and reported by researchers at cybersecurity firm Volexity. The vulnerability, now tracked as CVE-2024-3400 (CVSS 10), allows unauthenticated remote code execution (RCE) with root privileges, and has been added to the CISA KEV (Known Exploited Vulnerabilities) catalog. The Greenbone enterprise vulnerability feed includes tests to detect CVE-2024-3400 allowing organizations to identify affected assets and plan remediation.

PaloAlto’s Unit42 is tracking subsequent attacks under the name Operation MidnightEclipse and along with Shadowserver Foundation, and GreyNoise, have observed simple probes and full exploitation followed by data exfiltration and installation of remote command and control (C2) tools. Also, several proof of concept (PoC) exploits have been publicly disclosed [1][2] by third parties extending the threat by enabling attacks from low-skilled cyber criminals.

CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. Hotfix patches PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 are currently available to remediate affected devices without requiring a restart. A comprehensive guide for remediation is available in the Palo Alto Knowledge Base.

D-Link End-Of-Life Products Exploited Via Hardcoded Credentials

Two critical vulnerabilities have been discovered in NAS devices manufactured by D-Link, labeled as CVE-2024-3272 (CVSS 9.8) and CVE-2024-3273 (CVSS 9.8). The impacted devices include DNS-320L, DNS-325, DNS-327L, and DNS-340L, all of which have reached their end of support product lifecycle. According to D-Link patches will not be provided. Both CVEs are being actively exploited, and a proof of concept (PoC) exploit for CVE-2024-3273 is available online. Globally this affects an estimated 92,000 devices.

Vulnerable devices all contain a default administration account that does not require a password. Attackers can execute commands remotely by sending a specially crafted HTTP GET request to the /cgi-bin/nas_sharing.cgi URI on the NAS web-interface. Combined, the two vulnerabilities pose a severe risk, as they allow root remote code execution (RCE) without authentication on the target device [T1584]. This gives attackers access to potentially sensitive data [TA0010] stored on the compromised NAS device itself, but also a foothold on the victim’s network to attempt lateral penetration [TA0008] to other systems on the network, or launch attacks globally as part of a botnet [T1584.005].

Securing End-Of-Life (EOL) Digital Products

End-of-life (EOL) digital products demand special security considerations due to discontinued vendor support. Here are some defensive tactics for protecting EOL digital products:

1. Risk Assessment: Conduct regular risk assessments to identify the potential impact of legacy devices on your organization, especially considering that newly disclosed vulnerabilities may not have vendor provided remediation issued.
2. Vulnerability and Patch Management: Although EOL products may be officially unsupported by their vendors, in some emergency cases, patches are still issued. Vulnerability scanning and patch management help identify new vulnerabilities and allow defenders to seek guidance from the vendor on remediation options.
3. Isolation and Segmentation: If possible, isolate EOL products from the rest of the network to limit their exposure to potential threats. Segmenting these devices can help contain security breaches and prevent them from affecting other systems.
4. Harden Configuration and Policies: In some cases, additional policies or security measures such as removing Internet access altogether are appropriate to further mitigate risk.
5. Update to Supported Products: Update IT infrastructure to replace EOL products with supported alternatives. Transitioning to newer technologies can enhance security posture and reduce the reliance on outdated systems.
6. Monitoring and Detection: Implement additional monitoring and detection mechanisms to detect any suspicious activity exploitation attempts or attempts at unauthorized access to EOL products. Continuous monitoring can help identify malicious activity promptly and allow appropriate responses.

CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability

CISA has issued an order for all federal US government agencies to patch systems using CrushFTP service due to active exploitation by politically motivated hackers. Tracked as CVE-2024-4040 (CVSS 9.8), the vulnerability allows an unauthenticated attacker to access sensitive data outside of the CrushFTP’s Virtual File System (VFS) and achieve full system compromise. The vulnerability stems from a failure to correctly authorize commands issued via the CrushFTP API [CWE-1336].

CrushFTP is a proprietary file transfer software designed for secure file transfer and file sharing. It supports a wide range of protocols, including FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and more. The vulnerability lies in CrushFTP’s Java web-interface API for administering and monitoring the CrushFTP server.

CrushFTP said there is no way to identify a compromised instance from inspecting the application logs. It turned out that CVE-2024-4040 is trivial to exploit and publically available exploits are available, greatly increasing the risk. Greenbone’s Enterprise feed includes a vulnerability test to identify the HTTP header sent by vulnerable versions of CrushFTP.

There are an estimated 6,000 publicly exposed instances of CrushFTP in the US alone and over 7,000 public instances globally. CVE-2024-4040 impacts all versions of the application before 10.7.1 and 11.1.0 on all platforms, and customers should upgrade to a patched version with urgency.

Summary

April 2024 was a record breaking month for CVE disclosure and new cybersecurity challenges, including several high-profile incidents. Ivanti’s Secure Connect VPN was used to gain unauthorized access to MITRE’s development infrastructure leading to internal network attacks.

Various politically motivated threat actors were observed exploiting a zero-day vulnerability in Palo Alto’s PAN-OS now tracked as CVE-2024-3400, and two new critical vulnerabilities in EOL D-Link NAS devices highlight the need for extra security when legacy products must remain in active service. Also, a critical vulnerability in the CrushFTP server was found and quickly added to CISA KEV forcing US government agencies to patch with urgency.