CVE-2024-8686 – Palo Alto Networks PAN-OS Vulnerability
September 13, 2024‘Ajina.Banker’ Android Malware Uses Telegram to Steal Financial Data – Active IOCs
September 13, 2024CVE-2024-8686 – Palo Alto Networks PAN-OS Vulnerability
September 13, 2024‘Ajina.Banker’ Android Malware Uses Telegram to Steal Financial Data – Active IOCs
September 13, 2024Severity
High
Analysis Summary
Researchers have discovered a new malware campaign that mines cryptocurrencies illegally in Linux environments. The activity is intended to distribute malware known as Hadooken and targets the Oracle Weblogic server in particular.
Cybersecurity researchers said, “When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner.”
The attack chains leverage well-known security flaws and setup errors, such as weak passwords, to get a footing and run arbitrary code on vulnerable systems. To do this, two virtually identical payloads are launched; one is a shell script, while the other is written in Python. Both payloads are in charge of downloading the Hadooken malware from a remote server.
Furthermore, the shell script variant endeavors to repeatedly traverse diverse directories that hold SSH data (such as user credentials, host details, and secrets) and employs this data to launch attacks against recognized servers. It subsequently spreads the Hadooken malware laterally throughout the company or networked environments.
Two components are included with Hadooken: a cryptocurrency miner and Tsunami, also known as Kaiten, a distributed denial-of-service (DDoS) botnet that has a history of attacking Weblogic and Jenkins services that are set up in Kubernetes clusters. Additionally, by setting up cron tasks to operate the cryptocurrency miner on the host frequently at different intervals, the malware is in charge of building persistence on the system.
According to the researchers, 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644). It was previously reported in February 2024 that this IP address was used to exploit vulnerabilities in Apache Log4j, Atlassian Confluence Server, and Data Center to promote a cryptocurrency campaign called 8220 Gang.
Even though it isn't in use right now, the second IP address, 185.174.136[.]204, is connected to Aeza Group Ltd. (AS216246). As demonstrated in July 2024 by researchers, Aeza is a resilient hosting provider with locations in two Frankfurt data centers and Moscow M9. The strategy employed by Aeza and its rapid expansion can be explained by the hiring of young developers connected to Russian bulletproof hosting companies that provide havens for cybercriminals.
Impact
- Code Execution
- Cryptocurrency Theft
- Unauthorized Access
- Sensitive Data Theft
- Denial of Service
Indicators of Compromise
IP
- 185.174.136.204
- 89.185.85.102
MD5
- cdf3fce392df6fbb3448c5d26c8d053e
- 4a12098c3799ce17d6d59df86ed1a5b6
- b9f096559e923787ebb1288c93ce2902
- 9bea7389b633c331e706995ed4b3999c
- 8eef5aa6fa9859c71b55c1039f02d2e6
- c1897ea9457343bd8e73f98a1d85a38f
- 73d96a4316182cd6417bdab86d4df1fc
SHA-256
- 652f25d8f197ad00e4a64d1ad4066778e1bbc9a0e29faf09b90768c84f89c4ee
- 89e16174f65709fecd11c620d57abdab53046734d5105bedce8bc357513dd64b
- 1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
- 33926b0dfc908b518213d7608f701beca2373adad1f40025c17028cac5d4837f
- 10c2913361debb5f1db95c170ce2d6892d598d97b9f1f7f76a8bc7b5053e801a
- 6882691af41db3f6d8a3a2e08dbb685db4cf9d25167738bc7c177895863dc866
- 9afb13e5ab9ec5ef9d246bf5793e6dc4c8d2b58758a22c60beeb4004f348a77c
SHA-1
- 4a3dc35d4853665d4d08f0c5220e650f28eb9c06
- 0e8a3699cfaa236b73fd5aab51649c296bc8f001
- 94851bcc8f9c651bcda0ff33d17356cb0b16cf12
- b2d07deea8da1bf44f5103a8858c7f7000309130
- 8fcbf737766a473e2f033b9ee161fcf837228da3
- c8a2a9668cc86c85536e762180dd9b032af0686c
- b53cd1a65f9edf6b53c1eb152b87e1b9a701d8f9
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.