This week we find Palo Alto still dealing with fallout from CVE-2024-3400 (but now with remediation steps!), Okta warning of "unprecedented surge" in phishing attempts, WordPress plugins being targeted, and the Department of Justice arresting founders of a crypto mixer.
Palo Alto outlines remediation steps for CVE-2024-3400
Link: The Hacker News, Palo Alto
Last week, we linked to an update from Palo Alto that gave a bit more insight into CVE-2024-3400 and how it works. With strong evidence suggesting that exploit has been used since March 26, 2024, by group now tracked as UTA0218, Palo Alto has provided guidance on how to remediate the vulnerability.
With this exploit being rated a 10.0 on the CVSS and allowing remote code execution, this should be one that moves to the top of the "to do list" for vulnerability management.
Okta warns of surge in credential stuffing attacks
Link: The Hacker News
Okta's Identity Threat Research team has identified an increase in in credential stuffing attacks against user accounts last week, likely from the same TOR exit nodes identified by the CISCO Talos team. These attacks are taking advantage of leaked credential sets, underlining the need for additional access controls like 2FA, passkeys, or even implementing FIDO keys.
An additional point of note, Microsoft has already identified that just adding 2FA to accounts reduces the likelihood of account takeover by 99% (obviously not account for human error in these attacks). We highly recommend adding this to all users within an organization, not just the elevated or high-privileged accounts.
WordPress "WP Automatic" plugin being targeted
Link: Bleeping Computer
Researchers at PatchStack identified a vulnerability affecting the WP Automatic plugin using SQL injection to create new accounts with administrator privileges. With more than 30,000 websites leveraging the plugin, PatchStack (and us) recommend updating to Version 3.9.2.0 and reviewing your WordPress instance for any additional user accounts that may have been created.
WordPress plugins being targeted as an entry point isn't anything new, but with a severity of 9.9 and allowing full administrator access once exploited, this is one to pay attention to.
Department of Justice arrests Samourai crypto mixer founders
Link: The Hacker News
The DOJ has announced they have arrested founders of Samourai, a crypto mixer. The service allegedly was responsible for over $2 billion in transactions, with $100 million directly laundered for criminal activity.
For those unfamiliar with the concept, a crypto mixer acts as a mechanism to receive payment in the form of crypto currencies, perform a series of transactions for smaller amounts, and return the payment (less a fee) to the depositor. Because of the immutability of the blockchain, the idea is to create a confusing and difficult paper trail for forensic accounting teams to identify source and destination of transfers.