Threat Intel Brief for November 11 - November 17, 2024

Written by CoreTek | Nov 20, 2024 5:06:10 PM

In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.

We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.

In this edition:
PAN-OS Authentication Bypass Vulnerability CVE-2024-0012
SVG attachments used to evade phishing detections
Microsoft November 2024 Patch Tuesday
CISA KEV updates

PAN-OS Authentication Bypass Vulnerability: CVE-2024-0012

Palo Alto Networks has released a security advisory covering CVE-2024-0012, an authentication bypass in PAN-OS management web interface. If exploited, this could lead to an attacker performing administrative actions, tampering with the configuration, or exploiting other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

Palo Alto Networks has scanned for vulnerable devices with an internet-facing management interface and lists this information on the customer support portal https://support.paloaltonetworks.com. Once logged in, go to (Products → Assets → All Assets → Remediation Required), devices tagged with PAN-SA-2024-0015 have been found to have an internet-facing management interface.

Product Status 


Patches have been released and should be applied asap. Remediation guidance suggests limiting management interface access to known internal IPs. Please follow the linked source article for full workaround and mitigation guidance. You can also check the Coretek Blog for a more detailed threat advisory.

Source: Palo Alto Networks

SVG attachments used to evade phishing detections

Threat actors are leveraging the versatility of SVG files, which can display graphics, HTML, and execute JavaScript, to create phishing forms and distribute malware. These SVG attachments often bypass security software due to their textual nature, making them a growing concern for cybersecurity analysts.

A recent example of this technique was an attached SVG file which displayed a fake Excel spreadsheet. The fake sheet had a built-in login form, that when submitted, would send the entered data to responsible threat actors. It is important to note that SVG attachments are uncommon and should be treated by end users as suspicious.

Source: Bleepingcomputer
Microsoft November 2024 Patch Tuesday

89 total vulnerabilities fixed, including 4 rated as critical severity. Affected products include Windows, Office, SQL Server, Azure, Dynamics and ESU.

2 actively exploited zero-day vulnerabilities patched, including:

CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability - CVSS 6.5
CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability - CVSS 8.8

Official Microsoft release notes with links to all the individual CVEs can be found here: https://msrc.microsoft.com/update-guide/releaseNote/2024- Nov

Source: Microsoft Qualys
CISA KEV updates

CISA has added 7 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:

CVE-2021-26086 - Atlassian Jira Server and Data Center Path Traversal Vulnerability - CVSS 5.3
CVE-2014-2120 - Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability - CVSS 6.1
CVE-2021-41277 - Metabase GeoJSON API Local File Inclusion Vulnerability - CVSS 7.5
CVE-2024-42451 - Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability - CVSS 7.5
CVE-2024-49039 - Microsoft Windows Task Scheduler Privilege Escalation Vulnerability - CVSS 8.8
CVE-2024-9465 - Palo Alto Networks Expedition SQL Injection Vulnerability - CVSS 9.2
CVE-2024-9463 - Palo Alto Networks Expedition OS Command Injection Vulnerability - CVSS 9.9


Don't know where to begin with vulnerability management?

Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.

Source: Known Exploited Vulnerabilities Catalog | CISA

Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact