Researchers Find Flaws in Palo Alto Firewalls

Security researchers examined a handful of Palo Alto firewall devices and found them lacking in security protections, writing Thursday that hackers could remotely gain control over them.

“We purchased multiple Palo Alto Networks security appliances, expecting a high level of security and resilience Instead, what we found under the hood was commodity hardware, vulnerable software and firmware, and missing security features,” wrote Eclypsium researchers.

They detailed an investigation into the internals of three models – the PA-3260, the PA-1410 and the PA-415, with only the PA-3260 currently past its end-of-sale date. All three appliances, researchers wrote, had a secure boot bypass vulnerability in the UEFI firmware making them vulnerable to CVE-2020-10713, a vulnerability known as “BootHole.”

The devices are vulnerable, the researchers wrote, because Palo Alto uses its own set of certificates to establish the root of trust necessary for the secure boot process that prevents untrusted operating systems from loading. Any company using its own certificates is also responsible for keeping the revocation list current – something researchers said Palo Alto hasn’t done. That means the devices could run a version of the UEFI bootloader component known as GRUB2 that’s susceptible to buffer overflow attacks. Hackers could gain root privileges on devices running the Palo Alto operating system by chaining vulnerabilities, as documented by Watchtowr last November, researchers added.

In a prepared statement, a Palo Alto spokesperson said the scenarios required for successful exploitation of the vulnerabilities detailed by Eclypsium “do not exist on up-to-date PAN-OS software under normal conditions with secured management interfaces deployed according to best practice guidelines.” Nonetheless, “we are working with the third-party vendor to develop any mitigations that may be needed.”

Hackers greatly prize access to the UEFI environment since malware loaded at that level of computing is very difficult, if not impossible, to detect. Hackers have also increased their focus on edge devices such as firewalls since those appliances are often beyond the reach of endpoint detection and response tools and contain proprietary technology making independent analysis difficult (see: Ivanti Uses End-of-Life Operating Systems, Software Packages).

U.S. federal prosecutors announced Thursday the prosecution of two U.S. nationals for their participation in a six year-long conspiracy to virtually smuggle North Korean IT workers into corporate environments.

An indictment accuses Erick Ntekereze Prince and Emanuel Ashtor of setting up front companies used by cadres of North Korean workers to obtain remote tech employment. Named conspirators also include Jin Sung-Il and Pak Jin-Song, North Korean nationals residing in the Liaoning Province of China, and a Mexican national named Pedro Ernesto Alonso de los Reyes, residing in Sweden and suspected of lending his identity to Jin.

Prosecutors say they collectively obtained remote work for North Korean workers from at least 64 companies. Payment from ten of those companies totaled approximately $866,255, which the conspiracy in operating from April 2018 through August 2024, the indictment states.

The cash-hungry regime in Pyongyang deploys trained workers to neighboring states who falsify their identities and funnel their salaries to the government, which plows the money into developing weapons of mass destruction development and keeping the authoritarian country afloat. The North Korean government unusually depend on criminal operations for income through tactics that also includes hacking for profit, forced labor of its nationals in Chinese factories, tobacco smuggling and false identities for cargo ships. The U.S. federal government is stepping up efforts to stamp out North Korean remote IT workers, which it has said generates hundreds of millions of dollars annually (see: US Sanctions North Korean Remote IT Worker Front Companies).

OpenAI ChatGPT crawlers were a potential cause of distributed denial of service attacks, a security researcher wrote, a finding that spurred OpenAI into disabling an application programming interface.

Benjamin Flesch in a write up he posted earlier this month said a network-based, low-complexity bug in the crawler required no privileged access or user interaction for exploitation.

Flesch said repeated attempts to contact OpenAI and large language model infrastructure provider Microsoft resulted in silence. In a Wednesday update, he said OpenAI disabled the vulnerable API endpoint, meaning that the proof-of-concept code no longer works.

The researcher discovered that attackers could manipulate OpenAI’s API to trigger the ChatGPT crawler into sending excessive requests to a target website. By submitting a list of URLs via a simple HTTP request, the API sent multiple requests for each URL. The system didn’t de-duplicate URLs that point to the same domain, allowing attackers to overwhelm a single website.

This flaw allowed a single request to multiply into thousands of requests per second, originating from various IP addresses. Firewalls would struggle to stem the flow of such distributed traffic because even if a firewall blocked one request, the crawler would continue sending more requests from different IP addresses.

Researchers uncovered a threat actor targeting South Korean VPN provider IPany in a supply chain attack. Researchers at Eset track the group as “PlushDaemon,” stating that the China-aligned group was previously undisclosed.

The threat actor deploys a custom backdoor dubbed “SlowStepper” for data collection and surveillance. Researchers discovered the attack in May 2024 after a malicious NSIS installer replaced the legitimate VPN software on IPany’s website.

PlushDaemon has been active since 2019 and typically hijacks software updates and exploits web server vulnerabilities. This attack targeted users who manually downloaded the compromised installer. Victims included a semiconductor company and a software firm in South Korea, with earlier infections traced to Japan and China.

The group operates globally, targeting entities in China, Taiwan, Hong Kong, South Korea, the U.S. and New Zealand.

Cybersecurity researchers spotted a malicious package named pycord-self on the Python Package Index. It targets Discord developers to steal authentication tokens and establish a backdoor for remote system control. This package mimics the legitimate discord.py-self and offers similar functionalities.

Researchers from Socket found that the malicious package was uploaded in June 2024 and downloaded 885 times. It contains code designed to exfiltrate Discord authentication tokens, allowing attackers to hijack accounts without needing credentials, bypassing two-factor authentication.

Pycord-self additionally sets up a backdoor by maintaining a persistent connection to a remote server through port 6969. This backdoor can launch a shell on the victim’s system, providing continuous access while remaining undetected.

Research from Top10VPN uncovered critical vulnerabilities in multiple tunneling protocols, potentially exposing 4.2 million internet hosts to cyberattacks. Vulnerable devices include VPN servers, ISP home routers, core internet routers and content delivery network nodes.

The vulnerabilities stem from protocols including IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4, which fail to authenticate and encrypt traffic adequately. This lack of security allows attackers to hijack these hosts for anonymous attacks and access private networks.

Exploitation of these flaws can enable adversaries to create one-way proxies and spoof source IP addresses, facilitating denial-of-service attacks and unauthorized network access.

A Russian nation-state group tracked by Microsoft as Star Blizzard launched a spear-phishing campaign aimed at compromising WhatsApp accounts, shifting in its tactics following a law enforcement takedown of its infrastructure. Microsoft Threat Intelligence reported that the campaign began in mid-November 2024, focusing on individuals in government and policy roles related to international relations and Russia.

Star Blizzard “is almost certainly subordinate” to a section of the Federal Security Service known as Centre 18, the Five Eyes intelligence alliance warned in December 2018. Alliance members include Australia, Canada, New Zealand, the United Kingdom and the United States (see: UK and US Accuse Russian FSB of ‘Hack and Leak’ Operation).

The Russian threat actor’s change in strategy comes after Microsoft, in coordination with the U.S. government, dismantled in October 2024 more than 180 websites associated with Star Blizzard. The group, also known as Coldriver and Callisto Group, typically engages in credential phishing against high-profile targets, including NGOs and military officials.

In the latest campaign, Star Blizzard impersonated a U.S. government official in emails sent to targets, inviting them to join a WhatsApp group purportedly focused on supporting Ukraine NGOs. The email contained a broken QR code designed to elicit a response from the recipient. Victims received a second email with a shortened link leading to a webpage that prompted them to scan another QR code. This code linked their WhatsApp account to an attacker-controlled device, allowing access to their messages.

A federal appeals court on Tuesday ordered a federal judge to impose a stiffer sentence on Conor Brian Fitzpatrick, the twentysomething who pleaded guilty in July 2023 to trafficking stolen personal information while running the BreachForums criminal forum from March 2022 to March 2023 (see: How BreachForums’ ‘Pompompurin’ Led the FBI to His Home).

Fitzpatrick, who went by the alias “Pompompurin,” also pleaded guilty to possession of child pornography. U.S. District Court for the Eastern District of Virginia Judge Leonie M. Brinkema in January 2024 imposed a sentence of time served and 20 years of supervised release. The time served was 17 days spent in jail after Fitzpatrick violated pre-sentencing conditions for release by secretly downloading a VPN onto an iPhone to participate in Discord chatrooms.

Federal sentencing guidelines hold that Fitzpatrick should spent 188 months to 235 months in prison. A unanimous ruling by a three-judge panel of the U.S. Court of Appeals for the Fourth Circuit stated the light sentence was “substantively unreasonable.” The panel said Brinkema focused too much on Fitzpatrick’s personal characteristics – he received a diagnosis of autism spectrum disorder – and not enough on the other purposes of sentencing such as punishment, deterrence and incapacitation.

“Fitzpatrick created and operated the largest ever English-language online marketplace for buying and selling stolen personal data, which featured over 14 billion individual records of millions of persons. Moreover, many persons were injured by this conduct. Fitzpatrick also downloaded at least 600 images of child pornography and viewed prepubescent girls engaging in sexual acts … Not only did Fitzpatrick commit serious offenses but he also showed a lack of remorse, joking about committing additional crimes even after entering a guilty plea,” Judge Paul Niemeyer wrote in the ruling.

News of the owner and operator of the Silk Road dark web marketplace Ross Ulbricht being pardoned by President Donald Trump this week has given threat actors a new tactic to lure in victims. Bad actors are using fake but verified Ross Ulbricht accounts on X, formerly Twitter, to lure users into joining malicious Telegram channels disguised as official portals. Once on Telegram, users are prompted to complete a fake identity verification process called “Safeguard.” This process culminates in a Telegram mini-app displaying a fake CAPTCHA verification dialog that automatically copies a PowerShell command to the user’s clipboard.

Researchers at vx-underground uncovered the new variation of the increasingly popular “ClickFix” tactic used by cybercriminals to distribute malware.

Victims are then instructed to paste and execute this command in their Windows Run dialog. Doing so downloads a PowerShell script that retrieves additional malware, including a ZIP file containing “identity-helper.exe,” suspected to be a Cobalt Strike loader. Cobalt Strike is a penetration testing tool often misused by attackers for remote access and as a precursor to ransomware attacks.

Other Stories from Last Week

With reporting from Information Security Media Group’s Rashmi Ramesh in Bengaluru, India, and David Perera in Washington, D.C.