#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Firewall | Breaking Cybersecurity News | The Hacker News

New TunnelVision Attack Allows Hijacking of VPN Traffic via DHCP Manipulation

New TunnelVision Attack Allows Hijacking of VPN Traffic via DHCP Manipulation
May 09, 2024 Encryption / Data Privacy
Researchers have detailed a Virtual Private Network (VPN) bypass technique dubbed  TunnelVision  that allows threat actors to snoop on victim's network traffic by just being on the same local network. The "decloaking"  method  has been assigned the CVE identifier  CVE-2024-3661  (CVSS score: 7.6). It impacts all operating systems that implement a DHCP client and has support for DHCP option 121 routes. At its core, TunnelVision involves the routing of traffic without encryption through a VPN by means of an attacker-configured DHCP server using the  classless static route option 121  to set a route on the VPN user's  routing table . It also stems from the fact the DHCP protocol, by design, does not authenticate such option messages, thus exposing them to manipulation. DHCP is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway 

Critical F5 Central Manager Vulnerabilities Allow Enable Full Device Takeover

Critical F5 Central Manager Vulnerabilities Allow Enable Full Device Takeover
May 09, 2024 Firewall / Network Security
Two security vulnerabilities have been discovered in F5 Next Central Manager that could be exploited by a threat actor to seize control of the devices and create hidden rogue administrator accounts for persistence. The remotely exploitable flaws "can give attackers full administrative control of the device, and subsequently allow attackers to create accounts on any F5 assets managed by the Next Central Manager," security firm Eclypsium  said  in a new report. A description of the two issues is as follows - CVE-2024-21793  (CVSS score: 7.5) - An OData injection vulnerability that could allow an unauthenticated attacker to execute malicious SQL statements through the BIG-IP NEXT Central Manager API CVE-2024-26026  (CVSS score: 7.5) - An SQL injection vulnerability that could allow an unauthenticated attacker to execute malicious SQL statements through the BIG-IP Next Central Manager API Both the flaws impact Next Central Manager versions from 20.0.1 to 20.1.0. The sho

China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale

China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale
Apr 29, 2024 DNS Security / Cyber Espionage
A previously undocumented cyber threat dubbed  Muddling Meerkat  has been observed undertaking sophisticated domain name system (DNS) activities in a likely effort to evade security measures and conduct reconnaissance of networks across the world since October 2019. Cloud security firm Infoblox described the threat actor as likely affiliated with the People's Republic of China (PRC) with the ability to control the Great Firewall ( GFW ), which censors access to foreign websites and manipulates internet traffic to and from the country. The moniker is reference to the "bewildering" nature of their operations and the actor's abuse of DNS open resolvers – which are DNS servers that accept recursive queries from all IP addresses – to send queries from the Chinese IP space. "Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries,"

Protecting Your Organization From Insider Threats - All You Need to Know

cyber security
websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.

What's the Right EDR for You?

What's the Right EDR for You?
May 10, 2024Endpoint Security / Threat Detection
A guide to finding the right endpoint detection and response (EDR) solution for your business' unique needs. Cybersecurity has become an ongoing battle between hackers and small- and mid-sized businesses. Though perimeter security measures like antivirus and firewalls have traditionally served as the frontlines of defense, the battleground has shifted to endpoints. This is why endpoint detection and response (EDR) solutions now serve as critical weapons in the fight, empowering you and your organization to detect known and unknown threats, respond to them quickly, and extend the cybersecurity fight across all phases of an attack.  With the growing need to defend your devices from today's cyber threats, however, choosing the right EDR solution can be a daunting task. There are so many options and features to choose from, and not all EDR solutions are made with everyday businesses and IT teams in mind. So how do you pick the best solution for your needs? Why EDR Is a Must Because of

Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack
Apr 20, 2024 Vulnerability / Network Security
Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as  CVE-2024-3400  (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. "In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker's chosen filename," Chandan B. N., senior director of product security at Palo Alto Networks,  said . "The second bug (trusting that the files were system-generated) used the filenames as part of a command."  It's worth noting that while neither of the issues are critical enough on their own, when chained together, they could lead to unauthenticated remote shell command execution. Palo Alto Networks sai

Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack

Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack
Apr 12, 2024 Network Security / Zero-Day
Palo Alto Networks is warning that a critical flaw impacting PAN-OS software used in its GlobalProtect gateways is being actively exploited in the wild. Tracked as  CVE-2024-3400 , the issue has a CVSS score of 10.0, indicating maximum severity. "A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall," the company  said  in an advisory published today. The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024 - PAN-OS < 11.1.2-h3 PAN-OS < 11.0.4-h1 PAN-OS < 10.2.9-h1 The company also said that the issue is applicable only to firewalls that have the configurations for both  GlobalProtect gateway  (Network > GlobalProtect > Gateways) and  device telemetry  (Device > Setup > Telemetry) enabled.

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks
Mar 26, 2024 Online Gaming / DDoS Protection
Minecraft, with over 500 million registered users and 166 million monthly players, faces significant risks from distributed denial-of-service (DDoS) attacks, threatening server functionality, player experience, and the game's reputation. Despite the prevalence of DDoS attacks on the game, the majority of incidents go unreported, leaving a gap in awareness and protection. This article explains what happens to a Minecraft server during a DDoS attack and how to protect against such attacks. For an in-depth version of the article,  check out this white paper . When Creepers Breach: What Happens When an Attack Is Successful When a Minecraft server is hit with a DDoS attack, players may have problems with logging in to servers, loading worlds, navigating biomes, using tools, and chatting. They can also experience general lags, disconnections, timeouts, or server crashes. These in-game disruptions can ruin the gaming experience for players while causing financial and reputational losses to

Alert: Over 178,000 SonicWall Firewalls Potentially Vulnerable to Exploits - Act Now

Alert: Over 178,000 SonicWall Firewalls Potentially Vulnerable to Exploits - Act Now
Jan 16, 2024 Vulnerability / Network Security
Over 178,000 SonicWall firewalls exposed over the internet are exploitable to at least one of the two security flaws that could be potentially exploited to cause a denial-of-service (DoS) condition and remote code execution (RCE). "The two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern," Jon Williams, a senior security engineer at Bishop Fox,  said  in a technical analysis shared with The Hacker News. The vulnerabilities in question are listed below - CVE-2022-22274  (CVSS score: 9.4) - A stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote, unauthenticated attacker to cause DoS or potentially result in code execution in the firewall. CVE-2023-0656  (CVSS score: 7.5) - A stack-based buffer overflow vulnerability in the SonicOS allows a remote, unauthenticated attacker to cause DoS, which could result in a crash. While there are no reports of exploitation of the flaws

New Findings Challenge Attribution in Denmark's Energy Sector Cyberattacks

New Findings Challenge Attribution in Denmark's Energy Sector Cyberattacks
Jan 14, 2024 Cyber Attack / Vulnerability
The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group,  new findings  from Forescout show. The intrusions, which  targeted around 22 Danish energy organizations  in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a follow-on activity cluster that saw the attackers deploy Mirai botnet variants on infected hosts via an as-yet-unknown initial access vector. The first wave took place on May 11, while the second wave lasted from May 22 to 31, 2023. In one such attack detected on May 24, it was observed that the compromised system was communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that were previously used as command-and-control (C2) for the now-dismantled  Cyclops Blink  botnet. Forescout's closer examination of the attack campaign, however, has revealed that not only were the two waves unrelated, but also

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks
Dec 15, 2023 Botnet / Advanced Persistent Threat
A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called  Volt Typhoon . Dubbed  KV-botnet  by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022. "The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years," the company  said . The two clusters – codenamed KV and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China. While the bots part of JDY engages in broader scanning

Zyxel Releases Patches to Fix 15 Flaws in NAS, Firewall, and AP Devices

Zyxel Releases Patches to Fix 15 Flaws in NAS, Firewall, and AP Devices
Dec 01, 2023 Firewall / Network Security
Zyxel has released patches to address 15 security issues impacting network-attached storage (NAS), firewall, and access point (AP) devices, including three critical flaws that could lead to authentication bypass and command injection. The  three vulnerabilities  are listed below - CVE-2023-35138  (CVSS score: 9.8) - A command injection vulnerability that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted HTTP POST request. CVE-2023-4473  (CVSS score: 9.8) - A command injection vulnerability in the web server that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device. CVE-2023-4474  (CVSS score: 9.8) - An improper neutralization of special elements vulnerability that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device. Also patched by Zyxel are three high-severity flaws ( CVE-

Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability

Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
Sep 19, 2023 Network Security / Exploit
New research has found that close to 12,000 internet-exposed Juniper firewall devices are vulnerable to a recently disclosed remote code execution flaw. VulnCheck, which  discovered  a new exploit for CVE-2023-36845, said it could be  exploited  by an "unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system." CVE-2023-36845 refers to a  medium-severity flaw  in the J-Web component of Junos OS that could be weaponized by a threat actor to control certain, important environment variables. It was patched by Juniper Networks last month alongside CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847 in an out-of-cycle update. A subsequent proof-of-concept (PoC) exploit devised by watchTowr combined CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution. The latest exploit, on the other hand, impacts older systems and can be written using a single cURL comma

New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products

New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products
Jul 13, 2023 Network Security / Vulnerability
SonicWall on Wednesday urged customers of Global Management System (GMS) firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information. Of the 15 shortcomings (tracked from CVE-2023-34123 through CVE-2023-34137), four are rated Critical, four are rated High, and seven are rated Medium in severity. The vulnerabilities were disclosed by NCC Group. The flaws impact on-premise versions of GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before. Fixes are available in versions GMS 9.3.3 and Analytics 2.5.2. "The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve," SonicWall  said . "This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or dele

Critical RCE Flaw Discovered in Fortinet FortiGate Firewalls - Patch Now!

Critical RCE Flaw Discovered in Fortinet FortiGate Firewalls - Patch Now!
Jun 12, 2023 Vulnerability / Network Security
Fortinet has released patches to address a critical security flaw in its FortiGate firewalls that could be abused by a threat actor to achieve remote code execution. The vulnerability, tracked as  CVE-2023-27997 , is "reachable pre-authentication, on every SSL VPN appliance," Lexfo Security researcher Charles Fol, who discovered and reported the flaw alongside Dany Bach,  said  in a tweet over the weekend. Details about the security flaw are currently withheld and Fortinet is yet to release an advisory, although the network security company is expected to publish more details in the coming days. French cybersecurity company Olympe Cyberdefense, in an independent alert,  said  the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5. "The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated," the firm noted. With Fortinet flaws  emerging  as a  lucrative   attack vector  for threat actors in recent years, it&#

Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now

Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now
Apr 28, 2023 Network Security / Vulnerability
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as  CVE-2023-28771 , is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. "Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device," Zyxel  said  in an advisory on April 25, 2023. Products impacted by the flaw are - ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1) Zyxel has also  addressed  a high-severity post-authentication command injection vulnerability affecting select firewa

New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access

New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access
Mar 09, 2023 Network Security / Firewall
Fortinet has released fixes to  address 15 security flaws , including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as  CVE-2023-25610 , is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. "A buffer underwrite ('buffer underflow') vulnerability in FortiOS and FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests," Fortinet  said  in an advisory. Underflow bugs , also called  buffer underruns , occur when the input data is shorter than the reserved space, causing unpredictable behavior or leakage of sensitive data from memory. Other possible consequences include memory corruption that could either be weaponized to induce a crash or execute arbitrary code. Fortinet said it's not

Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware

Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware
Jan 20, 2023 Firewall / Network Security
A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were released. "This incident continues China's pattern of exploiting internet facing devices, specifically those used for managed security purposes (e.g., firewalls, IPS\IDS appliances etc.)," Mandiant researchers  said  in a technical report. The attacks entailed the use of a sophisticated backdoor dubbed  BOLDMOVE , a Linux variant of which is specifically designed to run on Fortinet's FortiGate firewalls. The intrusion vector in question relates to the exploitation of  CVE-2022-42475 , a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could result in unauthenti

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices
Nov 17, 2022
Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the  flaws  could be abused to remote access to the devices and defeat security constraints. The issues impact BIG-IP versions 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Management versions 7.x and 8.x. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows - CVE-2022-41622  (CVSS score: 8.8) - A cross-site request forgery ( CSRF ) vulnerability through iControl SOAP, leading to unauthenticated remote code execution. CVE-2022-41800  (CVSS score: 8.7) - An iControl REST vulnerability that could allow an authenticated user with an Administrator role to bypass  Appliance mode  restrictions. "By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's man

Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug

Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug
Oct 11, 2022
Fortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild. Tracked as  CVE-2022-40684  (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative interface via specially crafted HTTP(S) requests. "Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'" the company  noted  in an advisory. The list of impacted devices is below - FortiOS version 7.2.0 through 7.2.1 FortiOS version 7.0.0 through 7.0.6 FortiProxy version 7.2.0 FortiProxy version 7.0.0 through 7.0.6 FortiSwitchManager version 7.2.0, and FortiSwitchManager version 7.0.0 Updates hav

Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy

Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy
Oct 07, 2022
Fortinet has privately warned its customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow an attacker to perform unauthorized actions on susceptible devices. Tracked as CVE-2022-40684 (CVSS score: 9.6), the critical flaw relates to an authentication bypass vulnerability that may permit an unauthenticated adversary to carry out arbitrary operations on the administrative interface via a specially crafted HTTP(S) request. The issue impacts the following versions, and has been addressed in FortiOS versions  7.0.7  and  7.2.2 , and FortiProxy versions 7.0.7 and 7.2.1 released this week: FortiOS - From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1 FortiProxy - From 7.0.0 to 7.0.6 and 7.2.0 "Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," the company  cautioned  in an alert shared by a security researcher w

5 Questions You Need to Ask About Your Firewall Security

5 Questions You Need to Ask About Your Firewall Security
Jul 13, 2022
Often, organizations think of firewall security as a one-and-done type of solution. They install firewalls, then assume that they are "good to go" without investigating whether or not these solutions are actually protecting their systems in the best way possible. "Set it and forget it!" Instead of just relying on firewalls and assuming that they will always protect their businesses from cyber risk, executives need to start asking deeper questions about them. As with most areas of business, it's important to take a critical look at each solution that your organization relies on for security. So, let's break down a few questions that you and your team should be asking about firewall security to get a more accurate view into your network defense posture. 1 — What does your team's firewall knowledge look like? In order to properly service and upkeep firewalls, your team needs to have at least a baseline knowledge of how firewalls operate. It's espe
Expert Insights
Cybersecurity Resources