The dreadful 10: Palo Alto’s vuln earns perfect CVSS score

This week, we’ll cover a critical Palo Alto vulnerability, news in the botnet world, and updates on previous stories:

• Palo Alto vulnerability scores a perfect 10
• Botnet developer arrested
• UCSF pays up on ransom
• Emerald Magpie rakes in the cash

Palo Alto scores a perfect 10 on CVSS

Palo Alto Networks has disclosed CVE-2020-2021, a critical vulnerability within the operating system (PAN-OS) of its next-generation firewalls, that could allow network-based attackers to bypass authentication.

According to the company’s security advisory, the vulnerability exists when Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled, or unchecked.

“Improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” the security advisory states.

The vulnerability has been rated with the highest possible CVSS 3.x rating of 10.

Affected PAN-OS versions include version 9.1 (before 9.1.3), 9.0 (before 9.0.9), 8.1 (before 8.1.15), and 8.0, except for version 7.1, which is unaffected.

The company also states, “For GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies.”

They advise impacted customers to examine the authentication logs, User-ID logs, ACC Network Activity Source/Destination Regions (leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above) for signs of compromise before applying mitigation measures. Any unusual usernames or source IP addresses found in these logs and reports are indicators of a compromise.

Regarding mitigation, they advise users to make sure that the ‘Identity Provider Certificate’ is configured, and if the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the Validate Identity Provider Certificate option is enabled in the SAML Identity Provider Server Profile.

U.S. CYBERCOM tweeted the advisory with a recommendation to prioritize patching, as “Foreign APTs will likely attempt exploit soon.”

Tsunami author, Nexus, locked up

In February of 2019, Perch researchers published a report on an emerging variant of the Mirai botnet, Cayosin, with access being sold on Instagram. In the follow-up report, Cayosin operators were linked to Tsunami/Kaiten.

On June 30, 2020, Kenneth Currin Schuchman, aka “Nexus” and “Nexus-Zeta,” the co-developer of the Satori botnet, was sentenced to 13 months in prison for his role in creating the distributed denial-of-service (DDoS) botnet. Schuchman was sentenced by Chief US District Judge Timothy M. Burgess after pleading guilty in violation of the Computer Fraud and Abuse Act.

As part of his sentence, Schuchman, a 22-year-old resident of Vancouver, Washington, was ordered to serve 18 months of community confinement after his release from prison.

The Satori botnet is the successor of the Mirai botnet. Evidence detailed that Schuchman had been engaged in botnet activity since August 2017, which resulted in the compromise of hundreds of thousands of devices globally.

It is believed that Schuchman worked with at least two other criminal co-conspirators, known as “Vamp” and “Drake,” to add additional features to the Satori botnet over the years to make it more complex and effective.

These successor botnets were identified as “Okiru,” “Masuta,” and “Tsunami/Fbot.” The primary goal of these botnets was to sell access to paying customers to generate profit.

NetWalker gets 1.14m scholarship from UCSF

Recently, the Perch research team covered news of several university ransomware attacks, including the University of California San Francisco. News of the breaches first spread on Twitter via the Ransom Leaks account.

Since the breach became public, UCSF confirmed that they had paid the ransom demand after having suffered the ransomware attack on June 1, 2020.

UCSF stated that the encrypted data was very important to some of the academic works. Therefore, they decided to pay the $1.14 million ransom demand in exchange for a decryption tool. In addition to decryption, payment prevented NetWalker ransomware operators from leaking data stolen in the attack.

UCSF claims that they’ve been working with a leading cybersecurity consultant to further investigate the issue and to reinforce their security posture.

In related education security news, New Mexico State University (NMSU) Foundation, Inc. suffered a cyber-attack. Word on the street is that it’s ransomware. I’m willing to bet one whole dollar it was NetWalker.

According to NMSU officials, all devices were disconnected from the network as soon as they noticed suspicious network activity last week. The NMSU Foundation includes the Office of Alumni Relations and the Office of University Advancement.

NMSU officials stated that the foundation’s network is separate from the university’s network.

Emerald Magpie cawing all the way to the bank

On June 23, 2020, researchers released an analysis of recent activities of Emerald Magpie, a threat actor Perch has been tracking since 2018. Group-IB examined Emerald Magpie’s (aka Fxmsp) underground marketplace activity where they advertise their business, estimating the threat actor breached the networks of at least 135 companies across 44 countries.

Emerald Magpie became widely known after they attempted to close a $300,000 deal for selling access to the networks of antivirus companies, such as Symantec, Trend Micro, and McAfee.

According to the report, the threat actor gained initial access to these systems by scanning IP addresses for open RDP ports (3389). From there, they brute-forced the RDP password, disabled the antivirus and firewall, and created additional accounts.

After that, they installed the Meterpreter backdoor onto the exposed servers to harvest and decrypt hashed password dumps from all accounts and then install backdoors on backups to achieve persistence.

Since 2017, Emerald Magpie has compromised corporate and government networks throughout the world, which have been offered for sale for amounts ranging from a few hundred dollars to over a hundred thousand dollars.

Some of the group’s targets include luxury hotel chains, the Government of Dubai, the Army of Sri Lanka, and the Ministry of Finance of Ghana.

The researchers also claimed that in the past three years of activity, Emerald Magpie made at least $1.5 million from selling network access.

For a threat actor profile on Emerald Magpie, check out Perch’s 2020 MSP Threat Report.

That’s all for this short week, folks. Keep it Perchy!

• Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: ENRAGED DUCK threatens MSPs with CVE-2020-14159