The Shadowserver Foundation

Heads-up! Thanks to collaboration with the Saudi National Cybersecurity Authority we are now scanning & reporting Palo Alto Networks devices COMPROMISED as a result of a CVE-2024-0012/CVE-2024-9474 campaign. We found ~2000 instances compromised on 2024-11-20: https://lnkd.in/dNpxPkKC Top affected: US & India We are sharing IP data tagged 'panos-compromised' in our daily Compromised Website report, filtered by your network/constituency https://lnkd.in/d_Y2e4A7 We appreciate feedback on any IoCs you may find as a result of investigations based on our reporting Background from Palo Alto Networks Unit 42: https://lnkd.in/gBMGtnEu #cybersecurity #cybercrime #backdoor #malware #threatintelligence #shadowserver #cybercivildefense

Attention! We have started to report Palo Alto Networks devices still vulnerable to CVE-2024-0012 in our Vulnerable HTTP reports (filtered by network/constituency of recipient): https://lnkd.in/dsA3E6A3 ~2700 found vulnerable on 2024-11-20: https://lnkd.in/d5WGPc57 Top affected: US & India Thanks to watchTowr for the insights! Please check for compromise if you receive a report from us for your device. Patch info from Palo Alto Networks: - https://lnkd.in/ekVSnu8S - https://lnkd.in/dH2dcviT #cybersecurity #vulnerability #vulnerabilitymanagement #riskmanagement #attacksurface #situationalwareness #threatintelligence #vulnerabilityintelligence #shadowserver #cybercivildefense

We see Palo Alto Networks PAN-OS CVE-2024-0012 exploitation attempts since Nov 18th. We are now also observing CVE-2024-9474. IoCs: https://lnkd.in/gBMGtnEu Check for signs of compromise and patch: https://lnkd.in/ekVSnu8S https://lnkd.in/dH2dcviT For additional background - https://lnkd.in/gdjGPtbx Palo Alto PAN-OS Management Interface exposure tracker: https://lnkd.in/dgNpeUuW #cybersecurity #vulnerability #riskmanagement #vulnerabilitymanagement #threatintelligence #attacksurface #shadowserver #cybercivildefense

CVEs have now been assigned: https://lnkd.in/gBMGtnEu https://lnkd.in/ekVSnu8S https://lnkd.in/dH2dcviT 6642 IPs found exposed on 2024-11-17 (down from around 11K): https://lnkd.in/dc2946ws As a reminder, IP data is shared in our Device ID report daily: https://lnkd.in/dPu3utpY

Based on a recent advisory by Cybersecurity and Infrastructure Security Agency Australian Signals Directorate National Cyber Security Centre Canadian Centre for Cybersecurity (CCCS) and CERT NZ on "2023 Top Routinely Exploited Vulnerabilities" we added 3 additional 2023 CVEs to our daily reports https://lnkd.in/e87SfRCZ - Atlassian CVE-2023-22515 - PaperCut MF/NG CVE-2023-27350 - ownCloud CVE-2023-49103 These can be found (in addition to others from that list) in our Vulnerable HTTP report https://lnkd.in/dsA3E6A3 You can track all our CVE related scans from that report on our Dashboard at https://lnkd.in/dJqqNa4G #cybersecurity #vulnerability #vulnerabilitymanagement #attacksurface #riskmanagement #shadowserver #cybercivildefence

Palo Alto Networks has now updated their advisory https://lnkd.in/e5z5npHy saying they have "observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet." We see a drop in exposed PAN-OS Management Interfaces (down by around 2K from previously shared observations), currently at 8726 IPs Get these Interfaces off public Internet access NOW! PAN-OS Management Interface tracker: https://lnkd.in/d-9fVHT3 How to Secure the Management Access of Your Palo Alto Networks Device: https://lnkd.in/egtXRq49 #cybersecurity #0day #riskmanagement #attacksurface #threatintelligence #riskmanagement #shadowserver #cybercivildefense

We observed a 0day exploit in the wild used by a botnet targeting GeoVision EOL devices. The pre-auth command injection vulnerability was verified in collaboration with TWCERT/CC, Taiwan Computer Emergency Response Team / Coordination Center & GeoVision & assigned CVE-2024-11120 (CVSS 9.8) TWCERT/CC: https://lnkd.in/daewb4mu NVD: https://lnkd.in/d_GvMJ7E If you run a vulnerable EOL version, please remove from the Internet and replace it. We currently track around 17K GeoVision devices (see our device id report for GeoVision devices on your network) of all versions and will be working to identify the vulnerable cases. Geo map view of exposed GeoVision devices (population only, no vulnerability assessment) https://lnkd.in/dSCJwzA6 #cybersecurity #0day #eitw #vulnerability #riskmanagement #attacksurface #iotsecurity #shadowserver #cybercivildefense

We have observed D-Link NAS CVE-2024-10914 /cgi-bin/account_mgr.cgi command injection exploitation attempts starting Nov 12th. This vulnerability affects EOL/EOS devices, which should be removed from the Internet: https://lnkd.in/dB_Kefrm We see ~1100 exposed and waiting to be compromised ... Geo breakdown: https://lnkd.in/dg-UD8FC We share IP data on exposed D-Link NAS instances for your network/constituency in our Device ID reports (vendor D-Link, type: nas): https://lnkd.in/dPu3utpY D-Link NAS exposure tracker https://lnkd.in/dnPyrVtC NVD entry: https://lnkd.in/deAr-7EM #cybersecurity #attacksurface #vulnerabilitymanagement #riskmanagement #eol #ransomware #cybercivildefense #shadowserver

Attention! We started seeing Citrix Virtual Apps and Desktops CVE-2024-8068/CVE-2024-8069 PoC based exploitation attempts at around 16:00 UTC today, shortly after publication. While there is discussion on whether these are remotely exploitable without auth, we urge you to update your installations NOW Citrix security advisory and update information: https://lnkd.in/dj66ZYMf watchTowr disclosure: https://lnkd.in/dB7RU7Yx #cybersecurity #attacksurface #riskmanagement #vulnerabilitymanagement #shadowserver #cybercivildefense

Attention! Palo Alto Networks published an advisory on 2024-11-08 warning of a claim of an RCE via the PAN-OS management interface. While no exploitation activity has yet been observed, we added fingerprinting for exposed PAN-OS mgmt interfaces in our Device ID report to warn network owners of their potential attack surface: https://lnkd.in/dkWVZ97z We see around 11K IPs exposed (10th Nov). You can view exposure on our Dashboard selecting "IoT device statistics" in top nav bar and setting vendor "Palo Alto Networks" & model "PAN-OS Management Interface" World map: https://lnkd.in/dDhxEU25 PAN-OS mgmt exposure tracker: https://lnkd.in/d-9fVHT3 PAN-OS Management Exposure by US state: https://lnkd.in/dDhxEU25 Palo Alto Networks security alert advisory https://lnkd.in/e5z5npHy How to Secure the Management Access of Your Palo Alto Networks Device: https://lnkd.in/egtXRq49 #cybersecurity #0day #riskmanagement #attacksurface #threatintelligence #riskmanagement #shadowserver #cybercivildefense