This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.
No patch yet, apply mitigations. Actively exploited.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.
New York City based Sisense has more than a thousand customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that βcertain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)β
βWe are taking this matter seriously and promptly commenced an investigation,β Dash continued. βWe engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.β
In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.
βCISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,β the sparse alert reads. βWe will provide updates as more information becomes available.β
Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the companyβs Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisenseβs Amazon S3 buckets in the cloud.
Customers can use Gitlab either as a solution that is hosted in the cloud at Gitlab.com, or as a self-managed deployment. KrebsOnSecurity understands that Sisense was using the self-managed version of Gitlab.
Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.
It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.
The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time β sometimes indefinitely. And depending on which service weβre talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials.
Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that theyβve previously entrusted to Sisense.
Earlier today, a public relations firm working with Sisense reached out to learn if KrebsOnSecurity planned to publish any further updates on their breach (KrebsOnSecurity posted a screenshot of the CISOβs customer email to both LinkedIn and Mastodon on Wednesday evening). The PR rep said Sisense wanted to make sure they had an opportunity to comment before the story ran.
But when confronted with the details shared by my sources, Sisense apparently changed its mind.
βAfter consulting with Sisense, they have told me that they donβt wish to respond,β the PR rep said in an emailed reply.
Update, 6:49 p.m., ET: Added clarification that Sisense is using a self-hosted version of Gitlab, not the cloud version managed by Gitlab.com.
Also, Sisenseβs CISO Dash just sent an update to customers directly. The latest advice from the company is far more detailed, and involves resetting a potentially large number of access tokens across multiple technologies, including Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens.
The full message from Dash to customers is below:
βGood Afternoon,
We are following up on our prior communication of April 10, 2024, regarding reports that certain Sisense company information may have been made available on a restricted access server. As noted, we are taking this matter seriously and our investigation remains ongoing.
Our customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application.
Specifically, you should:
β Change Your Password: Change all Sisense-related passwords on http://my.sisense.com
β Non-SSO:
β Replace the Secret in the Base Configuration Security section with your GUID/UUID.
β Reset passwords for all users in the Sisense application.
β Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
β Single Sign-On (SSO):
β If you use SSO JWT for the userβs authentication in Sisense, you will need to update sso.shared_secret in Sisense and then use the newly generated value on the side of the SSO handler.
β We strongly recommend rotating the x.509 certificate for your SSO SAML identity provider.
β If you utilize OpenID, itβs imperative to rotate the client secret as well.
β Following these adjustments, update the SSO settings in Sisense with the revised values.
β Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
β Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of connection between the systems.
β Data Models: Change all usernames and passwords in the database connection string in the data models.
β User Params: If you are using the User Params feature, reset them.
β Active Directory/LDAP: Change the username and user password of users whose authorization is used for AD synchronization.
β HTTP Authentication for GIT: Rotate the credentials in every GIT project.
β B2D Customers: Use the following API PATCH api/v2/b2d-connection in the admin section to update the B2D connection.
β Infusion Apps: Rotate the associated keys.
β Web Access Token: Rotate all tokens.
β Custom Email Server: Rotate associated credentials.
β Custom Code: Reset any secrets that appear in custom code Notebooks.
If you need any assistance, please submit a customer support ticket at https://community.sisense.com/t5/support-portal/bd-p/SupportPortal and mark it as critical. We have a dedicated response team on standby to assist with your requests.
At Sisense, we give paramount importance to security and are committed to our customersβ success. Thank you for your partnership and commitment to our mutual security.
Regards,
Sangram Dash
Chief Information Security Officerβ
Itβs one thing to claim leadership in cloud security; itβs another to have that leadership acknowledged by industry experts. Thatβs why weβre thrilled to announce our recent recognition by Frost & Sulβ¦ Read more on Cisco Blogs
On April 9, Twitter/X began automatically modifying links that mention βtwitter.comβ to read βx.comβ instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links β such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.
The message displayed when one visits goodrtwitter.com, which Twitter/X displayed as goodrx.com in tweets and messages.
A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in βtwitter.com,β although research so far shows the majority of these domains have been registered βdefensivelyβ by private individuals to prevent the domains from being purchased by scammers.
Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, βAre you serious, X Corp?β
Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in βtwitter.comβ to βx.com.β
Original story:
The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.
A number of these new domains including βtwitter.comβ appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was βacquired to prevent its use for malicious purposes,β along with a Twitter/X username.
The domain mentioned at the beginning of this story β fedetwitter.com β redirects users to the blog of a Japanese technology enthusiast. A user with the handle βamplest0eβ appears to have registered space-twitter.com, which Twitter/X users would see as the CEOβs βspace-x.com.β The domain βametwitter.comβ already redirects to the real americanexpress.com.
Some of the domains registered recently and ending in βtwitter.comβ currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).
The domain setwitter.com, which Twitter/X until very recently rendered as βsex.com,β redirects to this blog post warning about the recent changes and their potential use for phishing.
Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.
βBad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity β many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,β McNee said. βIt is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.β
The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeleyβs School of Information, summed up the Schadenfreude thusly:
βTwitter just doing a βredirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.comβ is not absolutely the funniest thing I could imagine but itβs high up there.β
If only Patch Tuesdays came around infrequently β like total solar eclipse rare β instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this monthβs patch batch β a record 147 flaws in Windows and related software.
Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.
βThis is the largest release from Microsoft this year and the largest since at least 2017,β said Dustin Childs, from Trend Microβs Zero Day Initiative (ZDI). βAs far as I can tell, itβs the largest Patch Tuesday release from Microsoft of all time.β
Tempering the sheer volume of this monthβs patches is the middling severity of many of the bugs. Only three of Aprilβs vulnerabilities earned Microsoftβs most-dire βcriticalβ rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.
Most of the flaws that Microsoft deems βmore likely to be exploitedβ this month are marked as βimportant,β which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.
Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the userβs password hash and authenticate as the user in another Microsoft service.
Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azureβs search backend infrastructure that could be gleaned by taking advantage of Azure AI search.
βThis along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,β McCarthy said. βMicrosoft has updated their backend and notified any customers who have been affected by the credential leakage.β
CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDIβs researchers found this vulnerability being exploited in the wild, although Microsoft doesnβt currently list CVE-2024-29988 as being exploited.
βI would treat this as in the wild until Microsoft clarifies,β Childs said. βThe bug itself acts much like CVE-2024-21412 β a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.β
Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a βproxy driver spoofingβ weakness.
Satnam Narang at Tenable notes that this monthβs release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered βExploitation Less Likelyβ according to Microsoft.
βHowever, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,β Narang said. βBlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.β
For links to individual security advisories indexed by severity, check out ZDIβs blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.
Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.
KrebsOnSecurity needs to correct the record on a point mentioned at the end of Marchβs βFat Patch Tuesdayβ post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps wonβt use AI to auto-scan your documents, as the original language in its FAQ suggested.
βIn practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,β Adobe said earlier this month.
Letβs say that, during the middle of a busy day, you receive what looks like a work-related email with a QR code. The email claims to come from a coworker, requesting your help in reviewing a dβ¦ Read more on Cisco Blogs
Short'Em All is a URL scanning tool trusted by CTI Analysts and Security Researchers. It's designed to scan short URLs and provide insights into potential security risks or useful information. This tool automates the process of scanning URLs, allowing users to focus on analyzing the results.