Palo Alto’s Security Ironies: Leading in Security, Falling to Breaches

Introduction

Palo Alto Networks is synonymous with secure remote access and robust firewall protection. Yet, its reputation has taken a hit with vulnerabilities like CVE-2024-0012 and CVE-2024-9474, exploited in live attacks.

Consider the context of past incidents, such as the Terrapin SSH attack and the CVE-2024-3400 backdoor, and a clear pattern begins to surface: even industry leaders are not immune to vulnerabilities. Most notably, Palo Alto now recommends disabling remote management- a feature once touted as integral to its secure access promise- underscoring the irony of the situation.

CVE-2024-0012 and CVE-2024-9474: What Happened?

The two November 2024 vulnerabilities marked significant challenges for Palo Alto’s PAN-OS:

  1. CVE-2024-0012: An authentication bypass allowing attackers to gain admin privileges without credentials. This vulnerability facilitated tampering, privilege escalation, and unauthorized system control.
  2. CVE-2024-9474: A privilege escalation flaw letting attackers execute commands as root via compromised administrator accounts.

Together, these flaws compromised over 2,000 firewalls worldwide. Attackers exploited them through anonymous VPN traffic, deploying malware, and embedding persistent backdoors. While patches were quickly rolled out, the damage revealed how even small cracks in security can become massive breaches.

Timeline of CVE-2024-0012

  • November 8, 2024: Palo Alto warned customers to secure management interfaces.
  • November 18, 2024: The CVE was disclosed, and mitigation advice was issued.
  • November 20-24, 2024: Severity updates and proof-of-concept exploits surfaced.
  • November 25, 2024: Thousands of devices reported as compromised.

History of Palo Alto Security Breaches

Palo Alto’s track record reveals recurring challenges with its flagship products:

  • April 2024: CVE-2024-3400 exploited in state-sponsored attacks to install the Upstyle backdoor, stealing sensitive data via advanced techniques.
  • March 2023: The Terrapin SSH attack downgraded encryption in PAN-OS, exposing admin credentials during login sessions.
  • Past Exploits: Frequent issues in configuration tools, such as the Expedition flaw, underscore the need for secure defaults and best practices.

The Irony of Secure Remote Access

Palo Alto Networks, a leader in secure remote access, now finds itself in an ironic position. In response to CVE-2024-0012, the company recommends disabling remote management on its devices- a core feature of its promise to secure remote administration. This unexpected shift not only challenges trust in the brand but also compels enterprises to re-evaluate their security strategies and reliance on such tools.

Mitigation Recommendations

Palo Alto offers clear steps to secure its products:

  • Restrict Access: Lock down management interfaces to trusted IPs, or route them through secure jump boxes.
  • Patch Promptly: Apply updates addressing CVE-2024-0012, CVE-2024-9474, and other identified flaws.
  • Monitor Vigilantly: Use real-time monitoring to detect and prevent unauthorized access attempts.
  • Adopt Best Practices: Follow Palo Alto’s administrative access guidelines, including disabling vulnerable protocols and enforcing least privilege principles.

Conclusion


The vulnerabilities and breaches at Palo Alto Networks highlight a stark truth: even the guardians of secure remote access are not immune to their own promises being challenged. For organizations, the takeaway is clear: constant vigilance, multi-layered defenses, and the agility to respond are essential. Palo Alto’s challenges reflect broader industry struggles and underline the delicate balance between innovation and trust.

Read Also

Unveiling Terrapin: A New Threat to SSH Security

BeyondTrust Breach: A Wake-Up Call for Cybersecurity

Introduction

Imagine this: An organization that promises to protect your passwords and block unauthorized access falls victim to the very attack it aims to prevent. That’s exactly what happened to BeyondTrust, one of the well-known companies in the privileged access management space, when attackers targeted their Remote Support SaaS instances earlier this month. The breach exposed a serious vulnerability CVE-2024-12356 that allows attackers to execute commands remotely. Though BeyondTrust responded with swift patching of the problem, the incident leaves several tough questions regarding the exploitations that can even take place against the best of defenses.

What Went Wrong in the BeyondTrust Breach?

On December 2, 2024, BeyondTrust noticed something unusual: attackers had seized an API key for their Remote Support SaaS. This gave them the power to reset application passwords and gain unauthorized access.

As they investigated, BeyondTrust uncovered two vulnerabilities:

  • CVE-2024-12356: A critical flaw that scored 9.8 out of 10 in severity and lets attackers inject commands remotely.
  • CVE-2024-12686: A medium-severity bug that allows attackers with admin privileges to upload malicious files.

What’s worse, CVE-2024-12356 wasn’t just a hypothetical risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that attackers were already exploiting it in the wild.

The Irony

It’s hard to ignore the irony. BeyondTrust promised to protect against attacks like remote code execution and password theft, but attackers breached its defenses.

This isn’t the first time BeyondTrust has faced such a challenge. Last year, the company confirmed they were targeted after the Okta breach, underscoring how interconnected cybersecurity threats have become.

This is not BeyondTrust’s story alone but a stark reminder that no company, not even cybersecurity experts, is perfectly immune to attacks.

Why It Matters for Businesses

Thousands of organizations in healthcare, retail, and banking use BeyondTrust’s tools. A breach like this doesn’t just affect the company; it ripples out, impacting businesses that rely on their tools.

Here’s why this should matter to you:

  • Eroded Trust: Clients might start questioning the reliability of their systems.
  • Raising Risk: Exploited vulnerabilities can lead to data theft, operational issues, or worse.
  • Supply Chain Woes: If a key vendor is breached, one asks themselves how secure third-party software really is.

What You Can Do to Protect Your Business

Whether or not you use BeyondTrust’s products, it is a good time to take stock of your security practices. Here’s what you can do right now:

  1. Patch Your Systems: Update to the latest versions of BeyondTrust’s PRA and RS software.
  2. Check for Signs of Trouble: Review logs for unusual activity linked to API keys.
  3. Limit Your Exposure: Disable any unnecessary features and limit your access to the internet.
  4. Be Alerted: Monitor updates from BeyondTrust and cybersecurity agencies such as CISA.

Conclusion

The BeyondTrust breach is a reality check for everyone. Even the most trusted cybersecurity companies can get caught in the crossfire. It’s a reminder that no system is invincible and that vigilance is non-negotiable.

This means that organizations go beyond trust—pun intended—and actively work toward making their defenses stronger. They should update early, monitor their systems, and never assume they are safe. In today’s evolving world of cyber threats, one can only protect what matters most by staying a step ahead.

Disney Leaves Slack: A Strategic Retreat

Walt Disney Co. is transitioning away from Slack after a serious data breach. The breach, which occurred in July 2024, compromised more than 1.1 terabytes of confidential data. This incident included 44 million messages and inside information about various projects at Slack. According to a news article in The Wall Street Journal, Disney has decided to shift to new corporate-wide communication software before the end of its fiscal year.

Why Disney Is Getting Off Slack

The NullBulge hack led Disney to move away from Slack. Hackers accessed thousands of internal channels, exposing unreleased projects, login credentials, and sensitive corporate data. This breach highlighted Slack’s vulnerability, especially due to weak employee security practices like not using robust authentication.

Disney’s decision isn’t just a reaction to the breach but a preventive step to reduce reliance on a platform that became a weak link in its cybersecurity. By switching to streamlined collaboration tools, Disney aims for platforms that offer tighter security and better integration with its IT systems.

History of Breaches at Disney

This is not the first time that the House of Mouse has faced a breach. In July 2024, Disney suffered a breach that exposed over 1.1TB of sensitive data, including 44 million messages, 18,800 spreadsheets, and internal project details. Several months ago in early June 2024, hackers targeted the Club Penguin Confluence server and led to leaking of 2.5 GB of data and information related to the company’s legacy operations.

Mitigation and Prevention: Enhancing Your Security Position

To prevent future incidents, companies like Disney harden up their security approach. One of these approaches involves using zero-trust products, where all actions are considered to be malicious unless proved otherwise and authenticated. The shift away from Slack for Disney should be used as an opportunity to have stronger encryption and more secure, decentralised methods of communication in a place.

Despite the risks, companies often prioritise familiar tools like Slack for their ease of use. Employees enjoy the convenience of SSO and real-time communication. However, this same ease of use can make these platforms vulnerable to attacks, as Disney’s breach demonstrated. Companies often avoid stricter security measures, such as multi-factor authentication (MFA), due to perceived inconvenience. This balance between convenience and security is where many organizations falter.


PureAUTH on the other hand, offers one-click access through passwordless authentication, which is friendly and secure.

Conclusion : One Move Toward Collaboration Over A Secure Platform

As Disney steps away from Slack, this highlights an emerging trend: companies must prioritise security in their collaboration tools. Convenience is awesome, but so is the robust security against emerging threats. PureAUTH balances convenience with the protection required to secure company data. If Disney had solutions like PureAUTH, then the breach might have been far less effective. As companies rethink their internal platforms for communication, the lesson is stark: security and usability are not mutually exclusive with PureAUTH. #gopasswordless

Read Also

Disney to ditch slack following July Data Breach

Fortinet Data Breach: Insights and Implications for Cloud Security

Introduction

Fortinet recently experienced a data breach with 440GB of stolen files. This incident underscores the critical importance of securing data in third-party cloud environments. In this blog, we dive into the details of the Fortinet breach, its implications, and why moving towards passwordless authentication is an essential step for enhancing security.

The Fortinet Breach: A Detailed Overview

Fortinet, renowned for its comprehensive cybersecurity solutions, has confirmed a significant data breach. The hacker, using the name “Fortibitch,” claimed to have exploited an Azure SharePoint vulnerability to steal 440GB of data in this breach, dubbed “Fortileak“.

Fortinet data breach: Fortibitch
Credit: Hackread.com

How the Breach Happened

According to reports, the breach involved unauthorised access to Fortinet’s Azure SharePoint instance. The hacker provided credentials to an Amazon S3 bucket where the stolen data was allegedly stored. The leaked data included customer information and various corporate documents.

Fortinet confirmed the breach involved less than 0.3% of its customer base, affecting a limited number of files. The company assured stakeholders that there was no evidence of malicious activity affecting its operations or services. No ransomware was deployed, and Fortinet’s corporate network remained secure.

The Response from Fortinet

Fortinet acted swiftly to mitigate the impact of the breach. The company engaged in immediate containment measures, including terminating the unauthorised access and notifying affected customers. They also worked with law enforcement and cybersecurity agencies to address the situation.

In their update, Fortinet emphasised that the breach did not involve data encryption or ransomware. The company’s operations and financial performance remain unaffected, with no significant impact reported.

Key Takeaways and Security Lessons

This incident highlights several critical lessons for organisations:

1. Secure Cloud Environments

The Fortinet breach underscores the need for robust security measures around cloud-based environments. Companies must properly configure their cloud storage solutions and actively protect them against unauthorized access.

2. Implement Strong Access Controls

Using multi factor authentication (MFA) is minimum, but given the MFA are also getting bypassed, more secure authentication like PureAUTH is highly recommended

3. Continuous Monitoring and Response

Proactive monitoring of cloud assets and rapid response to security incidents are essential for minimising the impact of breaches. Organisations should have incident response plans in place to handle such situations effectively.

Embracing Passwordless Authentication for Enhanced Security

As demonstrated by the Fortinet breach, traditional security measures, including passwords and MFA, are increasingly inadequate. The shift towards passwordless authentication offers a more secure and resilient alternative.

Passwordless authentication solutions like PureAuth provide a breach-resilient architecture by leveraging advanced cryptography and just-in-time access. This approach significantly reduces the risk of third-party breaches and enhances overall security. Key benefits include:

  • Breach Resilience: PureAuth’s architecture is designed to withstand breaches by eliminating the reliance on passwords and minimising attack vectors.
  • Flexible Security Measures: We work with you to design fallback and recovery mechanisms, ensuring uninterrupted access to enterprise resources.
  • Ongoing Support: Comprehensive breach support is available to address any issues that arise.
Fortinet data breach: Embracing passwordless authentication

Transitioning to passwordless authentication is no longer just a best practice but a necessity for enterprises aiming to protect critical assets. Passwords and traditional 2FA/MFA methods are becoming increasingly inefficient and insecure. Adopting a passwordless approach enhances security, simplifies access management, and aligns perfectly with modern cybersecurity needs.

Conclusion

The Fortinet data breach serves as a stark reminder of the evolving threats in the cybersecurity landscape. While Fortinet’s response has been commendable, organisations must take proactive steps to safeguard their data, especially in cloud environments. Moving towards passwordless authentication solutions like PureAuth offers a forward-thinking approach to security, addressing the limitations of traditional methods and providing a more resilient defence against breaches.

For enterprises looking to enhance their security posture, embracing passwordless authentication is not an option—it is a necessity. Ensure your organisation is equipped to handle the future of cybersecurity with advanced, breach-resilient solutions. #gopasswordless

SolarWinds New 0-Day: Serv-U Update

SolarWinds Serv-U, one of the leading multi-protocol file servers, reported a critical exploit marked as CVE-2024-28995. It allows unauthorised access to sensitive files. This path traversal flaw poses a significant security risk.

Credit: CyberInsider

What is CVE-2024-28995?

CVE-2024-28995 is a path traversal vulnerability in SolarWinds Serv-U. Attackers can exploit it remotely and without authentication. It allows an attacker to send specially crafted requests to the server, potentially accessing sensitive files and data from the underlying operating system. This could include user data, server logs, and other critical files​

Historical Context

SolarWinds Serv-U has been targeted before. In 2021, a zero-day vulnerability (CVE-2021-35211) was exploited by a group called Circle Typhoon. This historical precedent underscores the importance of patching vulnerabilities in managed file transfer solutions, which are prime targets for cyber criminals​.

Exploitation Details

Researchers have observed both automated and manual exploitation attempts. These began after the release of proof-of-concept (PoC) exploit details on June 18, 2024. GreyNoise reported seeing active exploitation in the wild. The PoC scripts made it relatively straightforward for attackers to leverage this vulnerability, prompting urgent calls for patching​

Implications for Organisations

Managed file transfer solutions are prime targets for ransomware groups. Examples include attacks on Accellion’s FTA, Fortra’s GoAnywhere MFT, and Progress Software’s MOVEit Transfer. These attacks often result in data breaches and extortion attempt.

Mitigation and Recommendations

SolarWinds released a patch to address CVE-2024-28995. Users of Serv-U FTP and MFT solutions should upgrade to version 15.4.2 HF 2 or later. Immediate patching is crucial due to the active exploitation and sensitivity of the data at risk.

Identifying Affected Systems

Tenable has developed plugins to identify vulnerable systems. These plugins are available on the CVE page for CVE-2024-28995. Organisations should use these tools to detect and remediate this vulnerability.

Enhancing Security with Passwordless Systems

To bolster security and protect against vulnerabilities like CVE-2024-28995, consider implementing passwordless authentication systems. Traditional passwords are often a weak link in cybersecurity, prone to phishing, brute force attacks, and credential stuffing. By moving to a passwordless system, you can significantly enhance the security posture of your SolarWinds Serv-U environment.

Benefits of Passwordless Authentication:

  1. Reduced Attack Surface
  2. Improved User Experience
  3. Enhanced Security
  4. Compliance and Standards

Implementing Passwordless Systems with PureAuth:

PureAuth offers a robust passwordless authentication solution that can be integrated into your existing infrastructure. By using PureAuth, you can secure your SolarWinds Serv-U environment against unauthorised access and potential vulnerabilities.

Conclusion:

CVE-2024-28995 is a serious vulnerability actively exploited in the wild. Organisations using SolarWinds Serv-U must prioritise patching to protect their systems. Enhancing security with passwordless systems is a proactive step in safeguarding your SolarWinds Serv-U environment. By implementing solutions like PureAuth, you can reduce the risk of exploitation from vulnerabilities like CVE-2024-28995 and ensure a more secure and user-friendly authentication process.

SnowBall effect of Snowflake Breach

Executive Summary

Snowflake an American cloud computing–based data cloud company, identified a breach in June 2024, which had far-reaching implications for various organisations. Attackers exploited stolen credentials from a Snowflake employee, enabling unauthorised access to sensitive customer data, including credentials and access tokens. This breach was exacerbated by bypassing Okta’s security measures, allowing the attackers to generate new session tokens and access extensive customer data without detection.

Key Affected Customers:

Attack Method

  • Credentials Theft: Initial access through compromised employee credentials
  • Bypass Mechanism: Circumvention of Okta Security Protocols
  • Exploitation: Generation of new session tokens to access databases and steal data

The Domino Effect

The Snowflake breach has created a domino effect, where the initial compromise has led to multiple subsequent breaches. This incident mirrors the earlier Okta breach,, where attackers leveraged stolen credentials to infiltrate various organizations.

Domino Effect of Snowflake Breach

Companies affected include:

  • Ticketmaster: Reported unauthorised access to sensitive data.
  • Advance Auto Parts: Experienced data theft, with stolen information now for sale on dark web marketplaces.
  • Santander Bank: Compromised customer data led to financial and reputational damage.
  • Hugging Face, Quote Wizard, Lending Tree: Also reported breaches, with more organizations likely to follow .

Inherent Weaknesses in Traditional IAM Solutions

Password + MFA Based Authentication:

  • Reliance on passwords makes systems vulnerable to phishing and credential theft.
  • Multi-Factor Authentication (MFA) is often ineffective as attackers can bypass Password + MFA protection mainly by phishing or using a compromised device.
  • Social Engineering attacks have shown that phishing resistant MFA like FIDO keys, & passkeys can prove to be ineffective & can be easily disabled or reset.

IAM Blind Spots:

Apart from reliance on vulnerable passwords for identifying user. The existing IAM solutions are blind to following risks

  • Connection Risk – Traditional IAM solutions lack visibility of user connections. They cannot know whether an authentication request is coming from an authorised actor or an attacker in the middle.
  • User’s Device Risk – They also do not account for the type & security posture of user’s devices, leaving systems exposed to malware and remote monitoring, as seen in the Uber incident.

Impact Assessment

The Snowflake breach is termed as the biggest data breach so far and it’s cascading effect has led to numerous organisations reporting security incidents & data breach. 

The amplification effect could potentially lead to a vast number of downstream breaches, escalating the overall impact.

Impact of Snowflake Breach
Credit: XQ

Towards a Secure Future

Challenges with Current Solutions:

  • Time and again Password + MFA based systems are proven to be ineffective against simple attacks like phishing & social engineering.
  • There is a pressing need for more robust authentication mechanisms.

Protect your Enterprise, #GoPasswordless with PureAUTH

FIDO Solutions like Passkeys and hardware tokens focus on giving users a passwordless experience keeping the passwords on the server as the primary way to identify and authenticate users.

PureAUTH Platform on the other hand provides a comprehensive passwordless approach, eliminating the passwords from server side & not just from user side. PureAUTH is the only solution that protects an organisation against phishing, social engineering, frauds & all types of credential-based attack.

To learn more about PureAUTH & how it protects your existing IAM systems like Okta, OneLogin, CISCO Duo, or Azure AD in just 60 minutes at Zero Cost – get in touch with us

Related Blogs

Okta Warns Customers of Credential Stuffing Attacks

Unpacking Okta’s Recent Security Breach

American Express Warns Customers of Third-Party Data Breach

Introduction

American Express (Amex) has disclosed a potential data breach, affecting some of its credit card holders. The breach, originating from a third-party service provider, has raised concerns about the security of cardholder information.

Timeline

  • March 4, 2024: Breach Notification:
    • American Express files a breach notification letter with the Massachusetts State Attorney General’s Office as a precautionary measure.
    • The breach is attributed to a point-of-sale attack at a merchant processor, not directly involving American Express or its service providers.
  • March 5, 2024: Public Disclosure:
    • Details of the breach are publicly disclosed by American Express, acknowledging the potential compromise of cardholder names, account numbers, and expiration dates.
    • American Express reassures card members and emphasises its robust monitoring systems.
Screenshot of American Express Breach Notice

Details of the Breach

Incident Overview:

  • The breach occurred due to a point-of-sale attack at a merchant processor, not directly involving American Express or its service providers.

Affected Information:

  • Account information potentially compromised includes cardholder names, American Express card account numbers, and expiration dates.
  • Both active and previously issued credit card account numbers may have been impacted.

Customer Perspective

Customer Liability:

  • American Express assures its card members that they won’t be liable for fraudulent charges on their accounts.
  • The company emphasises its sophisticated monitoring systems to detect and address any suspicious activity promptly.

Recommendations for Customers:

  • Customers should regularly review and monitor their account activity.
  • American Express recommends Free fraud and account activity alerts via email, SMS text messaging, and app notifications for added protection.

Industry Perspective

Accountability of Third-Party Service Providers:

  • Cyber security experts such as Liat Hayun, CEO and co-founder of Eureka Security, stress the importance of holding third-party service providers accountable for data security.
  • Recent incidents, like the Bank of America breach with Infosys McCamish Systems, highlight the persistent challenge of third-party vulnerabilities.
  • With breaches attributed to groups like LockBit ransomware, there’s a pressing need to fortify security measures.
  • Previous breaches, such as Bank of America’s exposure via Ernst & Young, emphasise the necessity of securing access points to sensitive data.

Conclusion

The American Express data breach serves as a reminder of the ongoing cybersecurity challenges faced by financial institutions and the imperative need for proactive security measures. Using and Managing passwords also costs a lot. The easiest solution of this unavoidable situation is adopting passwordless solutions for Identity and Access Management (IAM). Password-based authentication methods are increasingly vulnerable to cyber threats.  Embracing advanced authentication mechanisms can mitigate unauthorised access risks and safeguard sensitive information.