Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Palo Alto Networks. Show all posts
Vulnerability and Exploits
Cyber Security Cyber Threat Surge Enterprise security GlobalProtect Security Network Intrusion Palo Alto Networks Remote Access Risks Threat Intelligence VPN Attacks Vulnerability and Exploits

Palo Alto GlobalProtect Portals Face Spike in Suspicious Login Attempts

 


Among the developments that have disturbed security teams around the world, threat-intelligence analysts have detected a sudden and unusually coordinated wave of probing of Palo Alto Networks' GlobalProtect remote access infrastructure. This activity appears to be influenced by the presence of well-known malicious fingerprints and well-worn attack mechanisms.

It has been revealed in new reports from GreyNoise that the surge began on November 14 and escalated sharply until early December, culminating in more than 7,000 unique IP addresses trying to log into GlobalProtect portals through the firm's Global Observation Grid monitored by GlobalProtect. This influx of hostile activity has grown to the highest level in 90 days and has prompted fresh concerns among those defending the computer system from attempts to hack themselves, who are watching for signs that such reconnaissance is likely to lead to a significant breach of their system. 

In general, the activity stems mostly from infrastructure that operates under the name 3xK GmbH (AS200373), which accounts for approximately 2.3 million sessions which were directed to the global-protect/login.esp endpoint used by Palo Alto's PAN-OS and GlobalProtect products. The data was reported by GreyNoise to reveal that 62 percent of the traffic was geolocated in Germany, with 15 percent being traced to Canada. 

In parallel, AS208885 contributed a steady stream of probing throughout the entire network. As a result of early analysis, it is clear that this campaign requires continuity with prior malicious campaigns that targeted Palo Alto equipment, showing that recurring TCP patterns were used, repeated JA4T signatures were seen, and that infrastructure associated with known threat actors was reused. 

Despite the fact that the scans were conducted mainly in the United States, Mexico, and Pakistan regions, all of them were subjected to a comparable level of pressure, which suggested a broad, opportunistic approach as opposed to a narrowly targeted campaign, and served as a stark reminder of the persistent attention adversaries pay to remote-access technologies that are widely deployed. 

There has been a recent increase in the activity of this campaign, which is closely related to the pattern that was first observed between late September and mid-October, when three distinct fingerprints were detected among more than nine million nonspoofable HTTP sessions, primarily directed towards GlobalProtect portals, in an effort to track the attacks. 

There is enough technical overlap between four autonomous systems that originate those earlier scans to raise early suspicion, even though they had no prior history of malicious behavior. At the end of November, however, the same signatures resurfaced from 3xK Tech GmbH’s infrastructure in a concentrated burst. This event generated about 2.3 million sessions using identical TCP and JA4t indicators, with the majority of the traffic coming from IP addresses located in Germany. 

In the present, GreyNoise is highly confident that both phases of activity are associated with a single threat actor. It has now been reported that fingerprints of the attackers have reapplied on December 3, this time in probing attempts against SonicWall's SonicOS API, suggesting more than a product-specific reconnaissance campaign, but a more general reconnaissance sweep across widely deployed perimeter technologies. According to security analysts, GlobalProtect remains a high-profile target because of its deep penetration into enterprise networks and its history of high-impact vulnerabilities. 

It is important to note, however, that CVE-2024-3400 is still affecting unremedied systems despite being patched in April 2024 with a 9.8 rating due to a critical command-injection flaw, CVE-2024-3400. During recent attacks, malicious actors have used pre-authentication access as a tool for enumerating endpoints, brute-forcing credentials, and deploying malware to persist by exploiting misconfigurations that allow pre-authentication access, such as exposed administrative portals and unchanged default credentials. 

They have also developed custom tools modeled on well-known exploitation frameworks. Although researchers caution that no definitive attribution has been established for the current surge of activity, Mandiant has observed the same methods being used by Chinese state-related groups like UNC4841 in operations linked to those groups. A number of indicators of confirmed intrusions have included sudden spikes in UDP traffic to port 4501, followed by HTTP requests to "/global-protect/login.urd," from which attackers have harvested session tokens and gotten deeper into victim environments by harvesting session tokens.

According to a Palo Alto Networks advisory dated December 5, administrators are urged to harden exposed portals with multi-factor authentication, tighten firewall restrictions, and install all outstanding patches, but noted that properly configured deployments remain resilient despite the increased scrutiny. Since then, CISA has made it clear that appropriate indicators have been added to its Catalog of Known Exploited Vulnerabilities and that federal agencies must fix any issues within 72 hours. 

The latest surge in malicious attacks represents a stark reminder of how quickly opportunistic reconnaissance can escalate into compromise when foundational controls are neglected, so organizations should prepare for the possibility of follow-on attacks. Security experts have highlighted that these recent incidents serve as a warning to organizations about potential follow-on attacks. A number of security experts advise organizations to adopt a more disciplined hardening strategy rather than rely on reactive patching, which includes monitoring the attack surface continuously, checking identity policies regularly, and segmenting all remote access paths as strictly as possible. 

According to analysts, defenders could also benefit from closer alignment between security operations teams and network administrators in order to keep an eye on anomalous traffic spikes or repeated fingerprint patterns and escalate them before they become operationally relevant. Researchers demonstrate the importance of sharing indicators early and widely, particularly among organizations that operate internet-facing VPN frameworks, as attackers have become increasingly adept at recycling infrastructure, tooling, and products across many different product families. 

Even though GlobalProtect and similar platforms are generally secure if they are configured correctly, recent scan activity highlights a broader truth that is not obvious. In order to remain resilient to adversaries who are intent on exploiting even the slightest crack in perimeter defenses, sustained vigilance, timely remediation, and a culture of proactive security hygiene remain the most effective barriers.
Read more »
Sensitive data
Cyber Security IoT devices IT Systems Palo Alto Networks Sensitive data

Nearly 50% of IoT Device Connections Pose Security Threats, Study Finds

 




A new security analysis has revealed that nearly half of all network communications between Internet of Things (IoT) devices and traditional IT systems come from devices that pose serious cybersecurity risks.

The report, published by cybersecurity company Palo Alto Networks, analyzed data from over 27 million connected devices across various organizations. The findings show that 48.2 percent of these IoT-to-IT connections came from devices classified as high risk, while an additional 4 percent were labeled critical risk.

These figures underline a growing concern that many organizations are struggling to secure the rapidly expanding number of IoT devices on their networks. Experts noted that a large portion of these devices operate with outdated software, weak default settings, or insecure communication protocols, making them easy targets for cybercriminals.


Why It’s a Growing Threat

IoT devices, ranging from smart security cameras and sensors to industrial control systems are often connected to the same network as computers and servers used for daily business operations. This creates a problem: once a vulnerable IoT device is compromised, attackers can move deeper into the network, access sensitive data, and disrupt normal operations.

The study emphasized that the main cause behind such widespread exposure is poor network segmentation. Many organizations still run flat networks, where IoT devices and IT systems share the same environment without proper separation. This allows a hacker who infiltrates one device to move easily between systems and cause greater harm.


How Organizations Can Reduce Risk

Security professionals recommend several key actions for both small businesses and large enterprises to strengthen their defenses:

1. Separate Networks:

Keep IoT devices isolated from core IT infrastructure through proper network segmentation. This prevents threats in one area from spreading to another.

2. Adopt Zero Trust Principles:

Follow a security model that does not automatically trust any device or user. Each access request should be verified, and only the minimum level of access should be allowed.

3. Improve Device Visibility:

Maintain an accurate inventory of all devices connected to the network, including personal or unmanaged ones. This helps identify and secure weak points before they can be exploited.

4. Keep Systems Updated:

Regularly patch and update device firmware and software. Unpatched systems often contain known vulnerabilities that attackers can easily exploit.

5. Use Strong Endpoint Protection:

Deploy Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) tools across managed IT systems, and use monitoring solutions for IoT devices that cannot run these tools directly.


As organizations rely more on connected devices to improve efficiency, the attack surface grows wider. Without proper segmentation, monitoring, and consistent updates, one weak device can become an entry point for cyberattacks that threaten entire operations.

The report reinforces an important lesson: proactive network management is the foundation of cybersecurity. Ensuring visibility, limiting trust, and continuously updating systems can significantly reduce exposure to emerging IoT-based threats.




Read more »
zero Day vulnerability
Cyber Security Firewall Scanning GlobalProtect GreyNoise Network Security Palo Alto Networks PAN OS Threat Intelligence zero Day vulnerability

Spike in Login Portal Scans Puts Palo Alto Networks on Alert


 

The Palo Alto Networks login portals have seen a dramatic surge in suspicious scanning activity over the past month, a development that has caught the attention of the cybersecurity community. Evidence suggests that threat actors are trying to coordinate reconnaissance efforts aimed at the Palo Alto Networks login portals. 

A new report from cybersecurity intelligence firm GreyNoise revealed that Palo Alto Networks' GlobalProtect and PAN-OS interfaces saw an increase in scanning volumes of over 500%, which marks a sharp departure from the usual pattern for such scanning. In the last week of October, the firm recorded more than 1,285 unique IP addresses attempting to probe these systems - a sharp rise from the typical daily average of fewer than 200 that occurs on a regular basis. 

Approximately 80% of this activity was attributed to IP addresses in the United States, with additional clusters originating from IP addresses in the United Kingdom, the Netherlands, Canada, and Russia. Moreover, separate TLS fingerprints indicated that there were organised scanning clusters that were heavily oriented towards United States targets as well as Pakistani targets. 

A GreyNoise analyst classifies 91% of the observed IP addresses as suspicious, while the remaining 7% are suspected to be malicious, indicating this may represent an early phase of targeted reconnaissance or exploitation attempts against Palo Alto Networks' infrastructure that is widely deployed. 

A GreyNoise analysis revealed that a large portion of the scanning traffic originated from U.S. IP addresses, with smaller but noteworthy clusters originating from the United Kingdom, the Netherlands, Canada, and Russia, indicating the traffic originated primarily from the United States. Using TLS fingerprints, research identified distinct activity clusters – targeting foand cusing o and focusing on Pakistani systems, focusing, overlapping fingerprints, suggesting infrastructure or coordination. 

Ninety per cent of the IP addresses involved in the campaign were deemed suspicious, while another seven per cent were flagged as malicious by the firm. It has been observed that most scanning activity has been directed towards emulated Palo Alto Networks profiles, including GlobalProtect and PAN-OS, indicating that the probes were likely to be intentional and are the product of open-source scanning tools or attackers who are conducting reconnaissance efforts to identify vulnerable Palo Alto devices. 

According to GreyNoise, heightened scanning activity can often be detected before zero-day or zero-n-day vulnerabilities are exploited, acting as a warning to potential offensive operations well in advance. A similar pattern was observed earlier this year, as a spike in Cisco ASA scans followed shortly thereafter by the disclosure and exploitation of a critical zero-day vulnerability in that product line, which was a warning of potential offensive operations. 

Although the timing and scale of the current Palo Alto scans are cause for concern, researchers have clarified that the available evidence suggests a weak correlation with any known or emerging exploit activity at this point in the Palo Alto network ecosystem. Palo Alto Networks' GlobalProtect platform is the core of its next-generation firewall ecosystem, allowing organisations to implement consistent policies for threat prevention and security across remote endpoints, regardless of whether or not the endpoints are connected to a virtual network. 

GlobalProtect portals are critical management tools that enable administrators to customize VPN settings, distribute security agents, and oversee endpoint connectivity within enterprise networks by allowing them to configure VPN settings, distribute security agents, and manage endpoint connectivity. Due to its function and visibility on the Internet, the portal is considered a high-value target for attackers looking to access sensitive data. 

According to experts, firewalls, VPNs, and other edge-facing technologies are among the most attractive security tools for attackers because they act as gateways between internal corporate environments and the open internet as a whole. These systems, by necessity, are available online to support remote operations, but are inadvertently exposing themselves to extensive reconnaissance and scanning efforts as a result. 

A few weeks earlier, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a warning indicating that Palo Alto Networks would be actively exploited if it were to exploit a zero-day authentication bypass vulnerability in the company's PAN-OS software. This has increased Palo Alto Networks' appeal to cyber adversaries. As with other cyber threats, similar trends have been observed across the entire industry. 

For example, Cisco Talos disclosed last year that two zero-day flaws in Cisco firewall appliances were exploited by a state-backed threat actor to conduct an espionage campaign coordinated with Cisco. These risks highlight the persistence of the threats vendors are facing when it comes to edge security infrastructure vendors.

Among experts in the field of cybersecurity, it is very important to recognise that recent spikes in scanning activity targeting Palo Alto Networks' PAN-OS GlobalProtect gateways highlight a long-standing principle of cybersecurity: there is always a vulnerability in software. According to Boris Cipot, Senior Security Engineer at Black Duck, no matter how sophisticated a piece of software is, security vulnerabilities will inevitably arise at some point, whether due to programming oversight or the introduction of vulnerabilities by third-party open-source components. 

According to him, the real test is not whether a vulnerability exists but how swiftly the affected vendor releases a fix and how quickly the users apply the fix. The Palo Alto Networks spokesperson told me that while most Palo Alto Networks customers have probably patched their systems in response to recent advisories, attackers continue to hunt for devices that are not patched or poorly maintained, hoping that they can exploit those that are not well secured. 

Among Cipot's recommendations are to perform timely patching, follow vendor-recommended mitigations when patches are not available, and restrict management interfaces to trusted internal networks, which, he says, is also one of the most fundamental practices. 

The report also recommends that organisations use continuous log monitoring, conduct regular security audits, and analyse open-source components to identify vulnerabilities as early as possible in the lifecycle. A Salt Security director, Eric Schwake, who is responsible for cybersecurity strategy, expressed the concerns of these people by pointing out that the pattern of scans, which span nearly 24,000 unique IP addresses, demonstrates the persistence of threat actors in attempting to gain unauthorised access to data. 

While perimeter security, such as firewalls and VPNs, is still crucial, it should not be viewed as impenetrable, according to Schwake. As a result, he recommended organisations adopt a multi-layered security approach integrating API security governance, robust authentication mechanisms, and behavioural threat detection in order to detect abnormal login attempts as well as other malicious activities immediately in real time, as opposed to just relying on a single approach. 

Also, it was recommended that users be trained in user awareness, and multifactor authentication (MFA) should be enforced in order to reduce the risk of credential compromise and strengthen the overall cyber resilience of organisations. A GreyNoise security research team has noted unusual scanning activity directed at Palo Alto Networks’ PAN-OS GlobalProtect gateways for a number of years. 

In April 2025, the cybersecurity intelligence firm spotted another wave of suspicious login probes, resulting in Palo Alto Networks advising its customers to make sure that their systems are running the latest software versions and to apply all patches available to them. There are several patterns in GreyNoise’s Early Warning Signals report from July 2025 that support the company’s renewed warning. Among those patterns are large-scale spikes in malicious scanning, brute-force attempts, or exploit probing, which often follow a new CVE being disclosed within six weeks of the spike in those activities.

A similar pattern appeared to occur in early September 2025 when GreyNoise detected an increase in suspicious network scans targeting Cisco Adaptive Security Appliance (ASA) devices - traced back to late August. A total of 25,100 IP addresses were involved in the initial wave, primarily located in Brazil, Argentina, and the United States, with most originating from Brazil. 

Researchers at Palo Alto Networks have discovered what appears to be an alarming rise in the number of scanning sessions available on the Internet targeting a critical flaw in the software Palo Alto Networks GlobalProtect, identified as CVE-2024-3400. There is a high-severity vulnerability that affects one of the most widely deployed enterprise firewall solutions, allowing the creation of arbitrary files that can be weaponised in order to execute root privilege-based commands on the operating system.

By exploiting such vulnerabilities, attackers are able to gain complete control over affected devices, potentially resulting in the theft of sensitive data, the compromise of critical network functions, and even the disruption of critical network functions. In the last few weeks, analysts have noticed a significant increase in the probing attempts of this exploit, suggesting that threat actors have been actively incorporating it into their attack arsenals. 

The fact that GlobalProtect serves as a gateway to the internet in many corporate environments increases the risks associated with the flaw, which is remote and unauthenticated. A surge of malicious reconnaissance, according to analysts, could be the precursor to coordinated intrusion campaigns. This makes it imperative that organizations implement security patches as soon as possible, enforce access restrictions, and strengthen monitoring mechanisms across all perimeter defenses, as well as implement security patches as soon as possible.

Only weeks after the discovery of one of the exploitable zero-day vulnerabilities in its ASA products (CVE-2025-20333), Cisco confirmed that the other zero-day vulnerability in the same product (CVE-2025-2020362) was actively exploited, enabling advanced malware strains such as RayInitiator and LINE VIPER to be deployed in real-world attacks. 

In accordance with the data supplied by the Shadowserver Foundation, over 45,000 Cisco ASA and Firepower Threat Defence instances in the world, including more than 20,000 in the United States, remain susceptible to these vulnerabilities. It is evident that organisations reliant on perimeter security technologies face escalating threats and are faced with an ongoing challenge of timely patch adoption, as well as the escalating risks associated with them. 

This latest surge in scanning activity serves as yet another reminder that cyber threats are constantly evolving, and that is why maintaining vigilance, visibility, and velocity is so crucial in terms of defence against them. As reconnaissance efforts become more sophisticated and automated, organisations have to take more proactive steps - both in terms of integrating threat intelligence, continuously monitoring, and managing attack surfaces in order to remain effective. 

This cannot be done solely through vendor patches. It is imperative to combine endpoint hardening, strict access controls, timely updates, and intelligence anomaly detection based on behavioural analytics in order to strengthen network resilience today. It is also important for security teams to minimise the exposure of interfaces, and wherever possible, to shield them behind zero-trust architectures that validate every connection attempt with a zero-trust strategy. 

The use of regular penetration testing, as well as active participation in information-sharing communities, can make it much easier to detect early warning signs before adversaries gain traction. The attackers are ultimately playing the long game, as can be seen by the recurring campaigns against Palo Alto Networks and Cisco infrastructure – scanning for vulnerabilities, waiting for them to emerge, and then attacking when they become complacent. Defenders' edge lies, therefore, in staying informed, staying updated, and staying ahead of the curve: staying informed and staying updated.
Read more »
SafePay ransomware
Cyber Attacks Cyber Outage Global IT Outage IT system Palo Alto Palo Alto Networks Ransomware attack Ransomwares SafePay ransomware

Ingram Micro Confirms SafePay Ransomware Attack and Global IT System Outage

 

Ingram Micro, one of the world’s largest IT distribution and services companies, has confirmed it was targeted in a ransomware attack by the SafePay group, causing major operational disruptions across its global network. The cyberattack, which began early on July 4, 2025, forced the company to take critical internal systems offline and suspend access to platforms such as its AI-powered Xvantage distribution system and the Impulse license provisioning platform. 

The attack came to light after employees discovered ransom notes on their devices. According to cybersecurity outlet BleepingComputer, the notes were linked to the SafePay ransomware operation—an increasingly active threat actor that has claimed over 220 victims since emerging in late 2024. Although the extent of data encryption remains unclear, sources suggest that the attackers likely accessed Ingram Micro’s network via compromised credentials on the company’s GlobalProtect VPN gateway. Initially, 

Ingram Micro refrained from publicly acknowledging the attack, stating only that it was experiencing “IT issues.” Employees in some regions were instructed to work from home, and the company advised against using the VPN service believed to be involved in the breach. 

On July 6, Ingram Micro officially confirmed the ransomware incident. In a statement, the company said it took immediate steps to secure affected systems, brought in cybersecurity experts to investigate, and notified law enforcement agencies. It also assured customers and partners that it was working urgently to restore operations and minimize further disruption. 

By July 8, the company had made significant progress in recovery. Subscription orders—including renewals and modifications—were once again being processed globally, with additional support for phone and email orders reinstated in key markets such as the UK, Germany, Brazil, India, and China. However, some hardware order functions remain limited. 

Palo Alto Network issued a clarification stating that none of its products were the source of the breach. The company emphasized that attackers likely exploited misconfigurations or stolen credentials, not any inherent flaws in the VPN software. 

This breach highlights the increasing sophistication of ransomware groups like SafePay and the risks faced by large IT infrastructure providers. Ingram Micro’s swift containment and recovery response may help mitigate long-term impacts, but the incident serves as a critical reminder of the importance of proactive cybersecurity measures, especially in environments reliant on remote access technologies.
Read more »
Scattered Spider ransomware
airline industry Cyber Attacks cyberattacks on airline FBI Hacker attack Hawaii MFA Palo Alto Networks Scattered Spider Scattered Spider ransomware

Scattered Spider Hackers Target Airline Industry Amid FBI and Cybersecurity Warnings

 

The FBI has issued a new warning about the cybercriminal group known as Scattered Spider, which is now actively targeting the airline industry. Recent cyber incidents at Hawaiian Airlines and Canadian carrier WestJet underscore the growing threat. 

According to the FBI’s advisory released late last week, Scattered Spider is known for using advanced social engineering tactics, often posing as employees or contractors. Their goal is to manipulate IT help desk teams into granting unauthorized access—frequently by requesting the addition of rogue multi-factor authentication (MFA) devices to compromised accounts.  

The group’s typical targets include large enterprises and their third-party service providers. “That puts the entire aviation supply chain at risk,” the FBI noted. Once they gain entry, the hackers typically exfiltrate sensitive information for extortion purposes and sometimes deploy ransomware as part of their attacks. The agency confirmed that it is working closely with industry partners to contain the threat and support affected organizations.  

Hawaiian Airlines reported late last week that it had detected suspicious activity in some of its IT systems. While full flight operations were not disrupted, the airline stated it was taking protective steps. “We’ve engaged with authorities and cybersecurity experts to investigate and remediate the incident,” the company said in a statement, adding that it’s focused on restoring systems and will share further updates as the situation evolves. 

Earlier in June, WestJet disclosed that it had experienced a cybersecurity event, which led to restricted access for certain users. The airline has brought in third-party experts and digital forensic analysts to investigate the breach. 

Although the culprits haven’t been officially named, recent analysis from security firm Halcyon indicates that Scattered Spider has broadened its scope, now targeting not only aviation but also sectors like food production and manufacturing. 

“These attacks are fast-moving and devastating,” Halcyon warned. “They can cripple an entire organization in just a few hours, with impacts on everything from operations to consumer trust.”

Other experts echoed these concerns. Palo Alto Networks’ Unit 42 recently advised aviation companies to be extra cautious, particularly regarding suspicious MFA reset requests and socially engineered phishing attempts.  

Darren Williams, founder and CEO of cybersecurity company BlackFog, emphasized the high value of the airline sector for cybercriminals. “Airlines manage immense volumes of sensitive customer data, making them an extremely attractive target,” he said. “With international travel surging, attackers are exploiting this pressure point.” 

Williams added that the disruptions caused by such attacks can ripple across the globe, affecting travelers, business continuity, and public confidence. “These incidents show that airlines need to invest more heavily in cybersecurity infrastructure that can protect passenger data and maintain operational integrity.”
Read more »
Palo Alto Networks
Botnet Botnet attack cryptocurrency mining Cyber Attacks Evasion Tactics Linux Linux Malware Linux Security Linux Servers Malware attacks Palo Alto Palo Alto Networks

Palo Alto Detects New Prometei Botnet Attacks Targeting Linux Servers

Cybersecurity analysts from Palo Alto Networks’ Unit 42 have reported a resurgence of the Prometei botnet, now actively targeting Linux systems with new, upgraded variants as of March 2025. Originally discovered in 2020 when it was aimed at Windows machines, Prometei has since expanded its reach. 

Its Linux-based malware strain has been in circulation since late 2020, but recent versions—designated as 3.x and 4.x—demonstrate significant upgrades in their attack capabilities. The latest Prometei malware samples are equipped with remote control functionality, domain generation algorithms (DGA) to ensure connection with attacker-controlled servers, and self-updating systems that help them remain undetected. This renewed activity highlights the botnet’s growing sophistication and persistent threat across global networks. 

At its core, Prometei is designed to secretly mine Monero cryptocurrency, draining the resources of infected devices. However, it also engages in credential harvesting and can download additional malicious software depending on the attacker’s goals. Its modular framework allows individual components to carry out specific tasks, including brute-force attacks, vulnerability exploitation (such as EternalBlue and SMB bugs), mining operations, and data exfiltration. 

The malware is typically delivered via HTTP GET requests from rogue URLs like hxxp://103.41.204[.]104/k.php. Prometei uses 64-bit Linux ELF binaries that extract and execute payloads directly in memory. These binaries also carry embedded configuration data in a JSON format, containing fields such as encryption keys and tracking identifiers, making them harder to analyze and block. 

Once a system is compromised, the malware collects extensive hardware and software information—CPU details, OS version, system uptime—and sends this back to its command-and-control (C2) servers, including addresses like hxxp://152.36.128[.]18/cgi-bin/p.cgi. Thanks to DGA and self-update features, Prometei ensures consistent communication with attacker infrastructure and adapts to security responses on the fly.  

To defend against these threats, Palo Alto Networks advises using advanced detection tools such as Cortex XDR, WildFire, and their Advanced Threat Prevention platform. These technologies utilize real-time analytics and machine learning to identify and contain threats. Organizations facing a breach can also contact Palo Alto’s Unit 42 incident response team for expert help. 

The activity observed from March to April 2025 underlines the continued evolution of the Prometei botnet and the growing risk it poses to businesses relying on Linux environments. Strengthening cybersecurity protocols and remaining alert to new threats is essential in today’s threat landscape.
Read more »
Vulnerabilities and Exploits
DNS security issue firewall vulnerability malicious packets manual intervention Palo Alto Networks PAN-OS update Vulnerabilities and Exploits

Palo Alto Networks Alerts on Exploit Causing Firewall Vulnerabilities

 

Palo Alto Networks has issued a warning about the active exploitation of the CVE-2024-3393 denial of service (DoS) vulnerability, which attackers are using to compromise firewall defenses by triggering device reboots.

Repeated exploitation of this vulnerability forces the firewall to enter maintenance mode, requiring manual intervention to restore normal functionality.

"A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall," the advisory states. The flaw enables an unauthenticated attacker to reboot affected devices by sending specifically crafted malicious packets.

This issue impacts devices where the 'DNS Security' logging feature is enabled. The affected PAN-OS versions are listed below. According to Palo Alto Networks, customers have already reported outages caused by firewalls blocking malicious DNS packets exploited through this vulnerability. The flaw has been addressed in the following PAN-OS versions: 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and later releases. However, no patch will be released for PAN-OS 11.0 due to its end-of-life (EOL) status as of November 17.

Palo Alto Networks has also provided workarounds for customers unable to immediately apply updates:

Mitigation Steps for Unmanaged NGFWs or Those Managed by Panorama:
  • Navigate to: Objects → Security Profiles → Anti-spyware → DNS Policies → DNS Security for each Anti-spyware profile.
  • Change the Log Severity to "none" for all configured DNS Security categories.
  • Commit the changes, then revert the settings after applying the fixes.
For NGFWs Managed by Strata Cloud Manager (SCM):
  • Option 1: Disable DNS Security logging directly on each NGFW using the steps above.
  • Option 2: Open a support case to disable DNS Security logging across all NGFWs in the tenant.
For Prisma Access Managed by SCM:
  • Open a support case to disable DNS Security logging across all NGFWs in the tenant.
  • If needed, request an expedited Prisma Access tenant upgrade through the support case.
The company urges all users to apply the recommended updates or follow the workarounds to mitigate the risk of exploitation.
Read more »
XDR Firm
CISO Cyber Security IBM Palo Alto Networks Software XDR Firm

IBM's Exit from Cybersecurity Software Shakes the Industry


 

In an unexpected move that has disrupted the cybersecurity equilibrium, IBM has announced its exit from the cybersecurity software market by selling its QRadar SaaS portfolio to Palo Alto Networks. This development has left many Chief Information Security Officers (CISOs) rethinking their procurement strategies and vendor relationships as they work to rebuild their Security Operations Centers (SOCs).

IBM's QRadar Suite: A Brief Overview

The QRadar Suite, rolled out by IBM in 2023, included a comprehensive set of cloud-native security tools such as endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (MDR), and key components for log management, including security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. The suite was recently expanded to include on-premises versions based on Red Hat OpenShift, with plans for integrating AI capabilities through IBM's Watsonx AI platform.

The agreement, expected to close by the end of September, also designates IBM Consulting as a "preferred managed security services provider (MSSP)" for Palo Alto Networks customers. This partnership will see the two companies sharing a joint SOC, potentially benefiting customers looking for integrated security solutions.

Palo Alto Networks has assured that feature updates and critical fixes will continue for on-premises QRadar installations. However, the long-term support for these on-premises solutions remains uncertain.

Customer Impact and Reactions

The sudden divestiture has taken the cybersecurity community by surprise, particularly given IBM's significant investment in transforming QRadar into a cloud-native platform. Eric Parizo, managing principal analyst at Omdia, noted the unexpected nature of this move, highlighting the substantial resources IBM had dedicated to QRadar's development.

Customers now face a critical decision: migrate to Palo Alto's Cortex XSIAM platform or explore other alternatives. Omdia's research indicates that IBM's QRadar was the third-largest next-generation SIEM provider, trailing only Microsoft and Splunk (now part of Cisco). The sudden shift has left many customers seeking clarity and solutions.

Market Dynamics

This acquisition comes at a pivotal time in the cybersecurity industry, with SIEM, SOAR, and XDR technologies increasingly converging into unified SOC platforms. Major players like AWS, Microsoft, Google, CrowdStrike, Cisco, and Palo Alto Networks are leading this trend. Just before IBM's announcement, Exabeam and LogRhythm revealed their merger plans, aiming to combine their SIEM and user and entity behaviour analytics (UEBA) capabilities.

Forrester principal analyst Allie Mellen pointed out that IBM's QRadar lacked a fully-fledged XDR offering, focusing more on EDR. This gap might have influenced IBM's decision to divest QRadar.

For Palo Alto Networks, acquiring QRadar represents a significant boost. The company plans to integrate QRadar's capabilities with its Cortex XSIAM platform, known for its automation and MDR features. While Palo Alto Networks has made rapid advancements with Cortex XSIAM, analysts like Parizo believe it still lacks the maturity and robustness of IBM's QRadar.

Palo Alto Networks intends to offer free migration paths to its Cortex XSIAM for existing QRadar SaaS customers, with IBM providing over 1,000 security consultants to assist with the transition. This free migration option will also extend to "qualified" on-premises QRadar customers.

The long-term prospects for QRadar SaaS under Palo Alto Networks remain unclear. Analysts suggest that the acquisition aims to capture QRadar's customer base rather than sustain the product. As contractual obligations expire, customers will likely need to transition to Cortex XSIAM or consider alternative vendors.

A notable aspect of the agreement is the incorporation of IBM's Watsonx AI into Cortex XSIAM, which will enhance its Precision AI tools. Gartner's Avivah Litan highlighted IBM's strong AI capabilities, suggesting that this partnership could benefit both companies.

In conclusion, IBM's exit from the cybersecurity software market marks a paradigm shift, prompting customers to reevaluate their security strategies. As Palo Alto Networks integrates QRadar into its offerings, the industry will closely watch how this transition unfolds and its impact.




Read more »
Subscribe to: Comments (Atom)