Notices by Not a Goat 🦝 (screaminggoat@infosec.exchange)

Palo Alto Networks PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security Bulletin
See parent toot above. Palo Alto Networks is in damage control mode, after Eclypsium reported that their Next Generation Firewall (NGFW) products were still impacted by multiple known vulnerabilities.

Palo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls.
Palo Alto Networks is not aware of any malicious exploitation of these issues in our products. We are aware of a blog post discussing these issues.

#paloaltonetworks #panw #vulnerability #cve #infosec #cybersecurity #eclypsium

Eclysium: PANdora's Box: Vulnerabilities Found in NGFW
Eclysium evaluated three Palo Alto Networks appliances, finding known vulnerabilities ranging from "Boothole" (buffer overflow to RCE) and secure boot bypass to LogoFail, PixieFail, leaked keys bypass, etc. Elypsium provides a timeline with the most recent update requesting that they wait for a patch before going public with the details, but no estimated time of patch release.

#paloaltonetworks #panos #pixiefail #logofail #boothole #secureboot #panw #infosec #vulnerability #cve #cybersecurity

SonicWall exploited zero-day: SMA1000 Pre-Authentication Remote Command Execution Vulnerability
CVE-2025-23006 (9.8 critical) Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.

IMPORTANT: SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors

cc: @goatyell @cR0w @GossiTheDog @briankrebs

#zeroday #CVE_2025_23006 #sonicwall #vulnerability #CVE #infosec #cybersecurity #eitw #activeexploitation

@da_667 Federal agencies and state governments legitimize Twitter by continuing to post important information to the platform. This includes cybersecurity companies like Microsoft Threat Intelligence who sometimes post exclusive CTI to their accounts. It's shameful and is a step back for society.

WIRED: Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants
U.S. telecommunication company AT&T disclosed a data breach in July (presumably 2024) that exposed call and text messaging logs from six months in 2022... of almost all 100,000,000+ customers. This includes FBI special agents' interactions with sources connected to investigations (confidential informants, etc.) and has far reaching impacts.

WIRED reported in July that after the hackers attempted to extort AT&T, the company paid $370,000 in an attempt to have the data trove deleted. In December, US investigators charged and arrested a suspect who reportedly was behind the entity that threatened to leak the stolen data.

#fbi #att #extortion #cybercrime #news

Trend Micro: Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR
Trend Micro provides a case study of a security incident where an attacker’s webshell sent to an unrestricted IIS worker led to the customer's server compromise and multiple payloads being deployed, and payment information being exfiltrated. Indicators of compromise are provided.

#threatintel #ioc #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

@reverseics I didn't get one :blobsad: @cR0w

@cR0w @catsalad @reverseics I found it in my notifications within the past 1 day. I was worried that I'd have to scroll back to the 31 December 2024 timeframe of notifications.

#Wrapstodon

CISA: Microsoft Expanded Cloud Logs Implementation Playbook
CISA released a 60 page Microsoft Expanded Cloud Logs Implementation Playbook (PDF) to help organizations get the most out of Microsoft’s newly introduced logs in Microsoft Purview Audit (Standard). This step-by-step guide enables technical personnel to better detect and defend against advanced intrusion techniques by operationalizing expanded cloud logs.

#microsoft #cisa #securitybestpractice #cloudsecurity #infosec #cybersecurity

Note that Fortinet's security advisory has Indicators of Compromise, of which 3 out of 5 IP addresses overlap with Arctic Wolf reporting from 10 January 2025: Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls.

While its use in a ransomware campaign hasn't been confirmed by Arctic Wolf, @GossiTheDog notes exploitation by a ransomware operator:

they have a copy of an exploit and are using it for initial access and handing off for lateral movement.

#CVE_2024_55591 #threatintel #ioc #fortinet #FortiProxy #fortios #zeroday #vulnerability #infosec #cybersecurity #cybersecurity #eitw #activeexploitation #cisakev #kev #cti #cyberthreatintelligence #infosec

U.S. Department of State: Joint Statement on Cryptocurrency Thefts by the Democratic People’s Republic of Korea and Public-Private Collaboration
A joint statement released by the United States of America, Japan, and the Republic of Korea blamed the Democratic People’s Republic of Korea (DPRK) for at least $659.13 million (USD) in cryptocurrency. DPRK-affiliated APTs like the Lazarus group continue to conduct numerous cybercrime campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians, and individual users.

#northkorea #cybercrime #crypto #infosec #cybersecurity #cyberthreatintelligence #CTI #lazarus #japan #korea

@CyberLeech @GossiTheDog if you're referring to the URL you mentioned the other day, it's available and does not explicitly mention exploitation 🤔 https://www.fortiguard.com/psirt/FG-IR-24-266

Happy #ZeroDay from your friends at Fortinet: Authentication bypass in Node.js websocket module
CVE-2024-55591 (CVSSv3.1: 9.8 critical) An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Please note that reports show this is being exploited in the wild.

Indicators of compromise include possible log entries, IP addresses used, and admin accounts created. cc: @GossiTheDog @wdormann @cR0w @briankrebs

#zeroday #patchtuesday #fortinet #vulnerability #CVE_2024_55591 #infosec #ioc #threatintel #infosec #cybersecurity #

@cR0w CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

It's pretty self explanatory ¯\_(ツ)_/¯

@cR0w all else fails I could just point at a random toot https://cyberplace.social/@GossiTheDog/113687025051706838

@cR0w we could be talking about a different eitw. Fortinet tomorrow kthx

@cR0w LOLBin

@GossiTheDog ??? You're missing one: CVE-2020-2883 (9.8 critical) Oracle WebLogic Server Unspecified Vulnerability

https://www.cisa.gov/news-events/alerts/2025/01/07/cisa-adds-three-known-exploited-vulnerabilities-catalog

@ryanc does it have floor arrows that you can secretly add more of to create an endless loop and drive customers into despair?

@Sempf

our own @GossiTheDog