Enlarge (credit: Getty Images)

Highly capable hackers are rooting multiple corporate networks by exploiting a maximum-severity zero-day vulnerability in a firewall product from Palo Alto Networks, researchers said Friday.

The vulnerability, which has been under active exploitation for at least two weeks now, allows the hackers with no authentication to execute malicious code with root privileges, the highest possible level of system access, researchers said. The extent of the compromise, along with the ease of exploitation, has earned the CVE-2024-3400 vulnerability the maximum severity rating of 10.0. The ongoing attacks are the latest in a rash of attacks aimed at firewalls, VPNs, and file-transfer appliances, which are popular targets because of their wealth of vulnerabilities and direct pipeline into the most sensitive parts of a network.

“Highly capable” UTA0218 likely to be joined by others

The zero-day is present in PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry. Palo Alto Networks has yet to patch the vulnerability but is urging affected customers to follow the workaround and mitigation guidance provided here. The advice includes enabling Threat ID 95187 for those with subscriptions to the company’s Threat Prevention service and ensuring vulnerability protection has been applied to their GlobalProtect interface. When that’s not possible, customers should temporarily disable telemetry until a patch is available.

Enlarge (credit: Getty Images)

Mass exploitation began over the weekend for yet another critical vulnerability in widely used VPN software sold by Ivanti, as hackers already targeting two previous vulnerabilities diversified, researchers said Monday.

The new vulnerability, tracked as CVE-2024-21893, is what’s known as a server-side request forgery. Ivanti disclosed it on January 22, along with a separate vulnerability that so far has shown no signs of being exploited. Last Wednesday, nine days later, Ivanti said CVE-2024-21893 was under active exploitation, aggravating an already chaotic few weeks. All of the vulnerabilities affect Ivanti’s Connect Secure and Policy Secure VPN products.

A tarnished reputation and battered security professionals

The new vulnerability came to light as two other vulnerabilities were already under mass exploitation, mostly by a hacking group researchers have said is backed by the Chinese government. Ivanti provided mitigation guidance for the two vulnerabilities on January 11 and released a proper patch last week. The Cybersecurity and Infrastructure Security Agency, meanwhile, mandated all federal agencies under its authority disconnect Ivanti VPN products from the Internet until they are rebuilt from scratch and running the latest software version.

Enlarge (credit: SB Arts Media | iStock / Getty Images Plus)

Law enforcement is continuing to warn that a "flood" of AI-generated fake child sex images is making it harder to investigate real crimes against abused children, The New York Times reported.

Last year, after researchers uncovered thousands of realistic but fake AI child sex images online, every attorney general across the US quickly called on Congress to set up a committee to squash the problem. But so far, Congress has moved slowly, while only a few states have specifically banned AI-generated non-consensual intimate imagery. Meanwhile, law enforcement continues to struggle with figuring out how to confront bad actors found to be creating and sharing images that, for now, largely exist in a legal gray zone.

“Creating sexually explicit images of children through the use of artificial intelligence is a particularly heinous form of online exploitation,” Steve Grocki, the chief of the Justice Department’s child exploitation and obscenity section, told The Times. Experts told The Washington Post in 2023 that risks of realistic but fake images spreading included normalizing child sexual exploitation, luring more children into harm's way and making it harder for law enforcement to find actual children being harmed.

Enlarge

Software maker Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code inside affected networks.

The vulnerability, in a class known as a SQL injection, resides in all supported versions of the Ivanti Endpoint Manager. Also known as the Ivanti EPM, the software runs on a variety of platforms, including Windows, macOS, Linux, Chrome OS, and Internet of Things devices such as routers. SQL injection vulnerabilities stem from faulty code that interprets user input as database commands or, in more technical terms, from concatenating data with SQL code without quoting the data in accordance with the SQL syntax. CVE-2023-39336, as the Ivanti vulnerability is tracked, carries a severity rating of 9.6 out of a possible 10.

“If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication,” Ivanti officials wrote Friday in a post announcing the patch availability. “This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.”

Enlarge (credit: Getty Images)

A critical vulnerability that hackers have exploited since August, which allows them to bypass multifactor authentication in Citrix networking hardware, has received a patch from the manufacturer. Unfortunately, applying it isn’t enough to protect affected systems.

The vulnerability, tracked as CVE-2023-4966 and carrying a severity rating of 9.8 out of a possible 10, resides in the NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. Stemming from a flaw in a currently unknown function, the information-disclosure vulnerability can be exploited so hackers can intercept encrypted communications passing between devices. The vulnerability can be exploited remotely and with no human action required, even when attackers have no system privileges on a vulnerable system.

Citrix released a patch for the vulnerability last week, along with an advisory that provided few details. On Wednesday, researchers from security firm Mandiant said that the vulnerability has been under active exploitation since August, possibly for espionage against professional services, technology, and government organizations. Mandiant warned that patching the vulnerability wasn’t sufficient to lock down affected networks because any sessions hijacked before the security update would persist afterward.

Enlarge (credit: Getty Images)

Ransomware hackers have started exploiting one or more recently fixed vulnerabilities that pose a grave threat to enterprise networks around the world, researchers said.

One of the vulnerabilities has a severity rating of 10 out of a possible 10 and another 9.9. They reside in WS_FTP Server, a file-sharing app made by Progress Software. Progress Software is the maker of MOVEit, another piece of file-transfer software that was recently hit by a critical zero-day vulnerability that has led to the compromise of more than 2,300 organizations and the data of more than 23 million people, according to security firm Emsisoft. Victims include Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people.

About as bad as it gets

CVE-2023-40044, as the vulnerability in WS_FTP Server is tracked, and a separate vulnerability tracked as CVE-2023-42657 that was patched in the same September 27 update from Progress Software, are both about as critical as vulnerabilities come. With a severity rating of 10, CVE-2023-40044 allows attackers to execute malicious code with high system privileges with no authentication required. CVE-2023-42657, which has a severity rating of 9.9, also allows for remote code execution but requires the hacker to first be authenticated to the vulnerable system.

Enlarge (credit: Getty Images)

Arm warned on Monday of active ongoing attacks targeting a vulnerability in device drivers for its Mali line of GPUs, which run on a host of devices, including Google Pixels and other Android handsets, Chromebooks, and hardware running Linux.

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Arm officials wrote in an advisory. “This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. There is evidence that this vulnerability may be under limited, targeted exploitation. Users are recommended to upgrade if they are impacted by this issue.”

The advisory continued: “A local non-privileged user can make improper GPU processing operations to access a limited amount outside of buffer bounds or to exploit a software race condition. If the system’s memory is carefully prepared by the user, then this in turn could give them access to already freed memory.”

Enlarge / As paint drops dry, they can look like a “fried egg” (left) or develop a more even pigment distribution (right). (credit: S.M.M. Ramos et al., Langmuir 2023/ACS)

French scientists have been watching paint drops dry and monitoring the resulting patterns in hopes of finding ways to better control the drying process to reduce cracks and other imperfections. They found that some drops dried uniformly, while others wound up resembling fried eggs with pigmented "yolks" at the center surrounded by white, depending on pigment concentration and temperature, according to a recent paper published in the journal Langmuir.

The underlying mechanism is akin to the so-called "coffee ring effect," when a single liquid evaporates and the solids that had been dissolved in the liquid (like coffee grounds) form a telltale ring. It happens because the evaporation occurs faster at the edge than at the center. Any remaining liquid flows outward to the edge to fill in the gaps, dragging those solids with it. Mixing in solvents (water or alcohol) reduces the effect, as long as the drops are very small. Large drops produce more uniform stains.

"Whiskey webs" are another related example. As previously reported, Princeton University physicist Howard Stone has tracked the fluid motion in whiskey drops with fluorescent markers, concluding that surfactant molecules collect at the edge of the drop. This creates a tension gradient pulling the liquid inward (known as the Marangoni effect, which is also associated with "tears of wine"). There are also plant-based polymers that stick to the glass and channel particles in the whiskey.