A critical vulnerability in internet-facing Palo Alto PAN-OS powered devices has been identified, posing a substantial security threat. This command injection flaw is severe due to its simplicity in exploitation, making it an attractive target for malicious actors. As a result, numerous incidents are anticipated as more parties attempt to exploit these exposed devices.
The Incident Response (IR) team is already proactively working to determine if PAN-OS powered devices have been compromised.
Customers should perform an urgent compromise assessment of the devices and if they are compromised they should be taken offline.
The ransomware gang known as Snatch claimed to have successfully compromised several members of the British royal family. Initially announced on one of its clear web sites on April 10, the gang updated its hack announcement on April 15 and again on April 16. The post disclosed the names of 25 royal family members, including King Charles III, Queen Camilla, and the Prince and Princess of Wales, and shared a link to a downloadable 32-kilobyte file named Royals.zip.
Snatch has been active in sharing this data in individual posts throughout March, offering security advice and commenting on their actions. The group has also delved into the private lives of other global figures, including French President Emmanuel Macron.
While the Royal Household acknowledges the claim and has liaised with the UK's National Cyber Security Centre, no disturbances have been reported. Snatch’s activities, origin, and motivations remain shrouded in mystery.
The recent shift towards a hacktivism model, as detailed in a manifesto published in January 2024, suggests a deeper ideological drive behind their operations. This new approach involves exposing personal data of corporate presidents and governmental officials, reflecting Snatch's belief that if personal data breaches are trivial to governments, they should equally be unconcerned about their own data exposure.
The Cabinet Office has secured a substantial contract to manage the triage of numerous vulnerabilities found annually on government websites by cyber experts. Previously piloted by the National Cyber Security Centre within GCHQ, the Vulnerability Reporting Service (VRS) will now be overseen by the Government Security Group as part of the new Government Cyber Coordination Centre (GC3) at Whitehall. This transition aligns with the strategies outlined in the 2022 Government Cyber Security Strategy, aiming to centralise vulnerability disclosures.
The VRS serves as an online platform where cyber researchers can report security weaknesses they discover within government operations. In 2022 alone, the VRS successfully processed 989 valid vulnerability reports, leading to the remediation of 440 vulnerabilities across 237 UK government organisations. Notably, about 80% of these vulnerabilities were classified as "critical" or "high" severity.
Supply chain attack against Cisco Duo MFA
Phone numbers and other sensitive data from users of Cisco Duo's identity authentication service have been compromised following a breach at a third-party telephony supplier. Cisco Duo, known for providing robust multi-factor authentication (MFA) and single sign-on (SSO) solutions, has more than 100,000 customers engaging in over a billion authentication requests monthly. The incident, disclosed by Cisco's data privacy and incident response team, occurred after a threat actor accessed the third-party provider's systems on April 1. This breach was facilitated by a phishing attack against one of the provider's employees.
The attacker was able to download logs containing details of SMS messages sent during March, including phone numbers, carriers, and geographic metadata, although no message content was exposed. Despite no evidence of misuse of the data so far, the breach provided the hackers with potential targets for spear phishing or SIM swapping attacks. Roger Grimes of KnowBe4 highlighted the risks of such exposures and critiqued the general lack of adequate investment by companies in combating social engineering and phishing, which represent the majority of successful cyberattacks.
This is one of the biggest MFA providers outside of Microsoft Authentication so to see a supply chain attack against it is concerning.
Cybercriminals Target Telecom Employees in SIM Swap Scams, Offering Cash for Insider Help
Cybercriminals are reportedly leveraging stolen employee records from telephone companies to recruit insiders for illegal SIM swapping schemes, offering quick cash for their cooperation. In a revealing Reddit thread, employees from T-Mobile and Verizon shared experiences of receiving unsolicited text messages prompting them to engage in these scams. One text, as posted in a screenshot, directly referenced the T-Mobile employee directory, offering up to $300 per SIM swap.
SIM swapping, or simjacking, involves cybercriminals manipulating phone carrier staff to transfer a victim's phone number to a SIM card under their control, bypassing multi-factor authentication to gain account access. While social engineering is commonly used, bribing insiders proves more efficient.
Both T-Mobile and Verizon have previously experienced breaches that could have exposed employee data. However, T-Mobile stated there was no recent systems breach, suggesting the data might be outdated. The frequency of such texts points to a concerted effort to exploit telecommunications staff, with serious legal ramifications for those who participate. New FCC regulations and T-Mobile’s "SIM Protection" service are steps toward combating this growing threat.
Attacks using SIM cards are rising. Illegally cloned sim cards are being used in all manner of attacks given the reliance on SMS for security.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Integrity360's flagship conference Security First comes to Stockholm in 2023!
Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.