Can’t find my thread to update it, but after a Chinese company acquired Polyfill.io last year (embedded in over 100k websites), it has started serving malware to users of said websites - prepare to be surprised.
Good find by Elastic - possibly North Korean based threat actors using an unfixed bug in Windows to execute code, undetected across all vendors until that point (and as of writing only Elastic detect still)
CERT-EU warns of an exploited zero-day for Palo Alto Networks: CVE-2024-3400 (10.0 critical, disclosed 12 April 2024) command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software. Affected versions are PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. This zero-day is NOT patched yet, and hotfix releases will be made available starting 14 April 2024. 🔗 https://cert.europa.eu/publications/security-advisories/2024-037/ and original Palo Alto Networks security advisory: https://security.paloaltonetworks.com/CVE-2024-3400
Just to make it easier to read through the various reports (saying almost the same exact thing), I've assembled a Palo Alto Networks zero-day MEGA list:
It should come as no surprise that Palo Alto Networks did not release hotfixes* for affected versions of PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11 by the self-imposed deadline of Sunday 14 April 2024 like they estimated in their security advisory. 48 hours to develop/test/release is a tight delivery window with the whole infosec community breathing down their necks.
Ransomhub #ransomware group are claiming AlphV stole their money for Change Healthcare (this is believed to be true btw), and the operator has given them the data. So now they’re extorting Change Healthcare again. #threatintel
Change Healthcare didn’t use MFA on Citrix Netscaler. It was a bog standard ransomware incident.
One learning for the industry btw - I saw loads of threat intel channels circulating incorrect info about the incident. That’s fine, but some (eg the health info sharing authorities) reshared this wrong info.
The CEO of UnitedHealth is due to give testimony in Washington on their Change Healthcare ransomware incident tomorrow, where he will say “Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year”
That sound impressive, but if you own a Windows PC at home, you’re doing the same thing - it’s called the built in firewall.
Not having MFA on Citrix Netscaler is also called negligence.
Werewolves Group are a ransomware group who attack primarily Russian organisations, although orgs across Europe in total. They've been operating under the radar for a few months.
There are many ransomware operators who aren't in Russia and aren't being tracked properly, so I imagine the odds are the problem is going to keep spiralling into other regions. Shout out to Kazakhstan.
Russia is very very exposed in terms of cybersecurity and resiliency as attacking local orgs there will get the local feds to bash your door in.. so ransomware groups have left it untested. #threatintel