May 8's Top Cyber News NOW! - Ep 1128
At a glance
PaloAlto Networks' PAN-OS faces active exploitation via a critical buffer overflow in the authentication portal—patch due May 13th. Russia targets Polish water infrastructure in apparent retaliation for NATO support to Ukraine. Microsoft Edge stores decrypted passwords in plain text by design, exposing credentials to admin-level attackers. Supply chain threats continue: malicious Python packages deliver Zia Chatbot malware via public APIs, while a new PCP Jack worm steals cloud credentials and removes competing malware.
Stories covered
What's the latest on the PaloAlto PAN-OS RCE buffer overflow?
What happened: PaloAlto Networks disclosed a critical CVE (CVSS 9.3/8.7) buffer overflow vulnerability in the PAN-OS user ID authentication portal. Researchers confirmed active exploitation by suspected state-sponsored threat actors (likely Chinese origin) since at least April 9th. Patches are expected May 13th.
Why it matters: The vulnerability grants root access and enables arbitrary code execution on enterprise-grade network infrastructure. Active exploitation in the wild means threat actors already have persistence and may have deployed additional payloads. This affects critical infrastructure relied upon by enterprises for firewall and VPN operations.
What to do: If running PAN-OS: (1) Immediately restrict access to the user ID authentication portal to trusted zones or disable it entirely if unused. (2) Patch by May 13th. (3) Conduct threat hunting within your environment to confirm whether you were compromised during the exploitation window. Run these in parallel with patching. Review firewall logs for suspicious activity since April 9th.
Why is Russia targeting Polish water treatment facilities?
What happened: Poland's internal security agency (ABW) reported that Russian-backed hackers targeted water treatment control systems in six towns, gaining access to industrial control systems in some cases. An activist group linked to Russia posted propaganda videos of intrusions online. Poland's incident response team recorded over 40,000 reports related to the attacks.
Why it matters: Water infrastructure is critical to public health and continuity of operations. Successful compromise of ICS systems could disrupt water supply to civilian populations. This represents cyber-kinetic escalation against NATO ally Poland, likely retaliation for Poland's role as a logistics hub for Western military aid to Ukraine.
What to do: If managing water or critical infrastructure: audit access control mechanisms to ICS systems; implement network segmentation between IT and OT networks; prepare continuity-of-operations plans assuming systems will be unavailable. Monitor for signs of reconnaissance or lateral movement. Consider consulting ICS-specific resources like ICS Village for defensive guidance.
How are malicious Python packages spreading the Zia Chatbot malware?
What happened: Kaspersky researchers discovered three malicious packages on PyPI designed to deliver Zia Chatbot malware to Windows and Linux systems. The malware uses REST APIs from the public team chat app Zulip as C2 infrastructure rather than traditional command-and-control servers. Code analysis suggests Vietnamese origin (Ocean Lotus affiliation). Packages have been removed from PyPI.
Why it matters: Supply chain attacks via package repositories continue to grow in sophistication. This attack leverages legitimate public APIs to hide C2 communications, making detection harder. Zia Chatbot extracts DLLs, uses autorun for persistence, and cleans up after itself to evade thread hunting. Nation-state-grade tradecraft suggests long-term targeting capability.
What to do: Review any open-source dependencies your development teams use before and after implementation. Do not assume code reviewed once is safe forever—malware can be injected into previously-clean packages during updates. Vet third-party software suppliers and consider dependency scanning tools. Educate developers about PyPI risks and the practice of supply chain compromise.
What's the severity of the Ivanti EPMM zero-day RCE?
What happened: Ivanti issued a critical warning for CVE (high severity) affecting Endpoint Manager Mobile (EPMM) 12.8.00 and earlier. A remote code execution vulnerability stems from improper input validation. Shadow Server tracks over 850 exposed EPMM fingerprints online, primarily in Europe and North America. The vulnerability requires administrative privileges to exploit.
Why it matters: EPMM is used for centralized mobile endpoint management in enterprises. RCE could compromise the management platform itself and the underlying operating system. However, the attacker must already possess valid admin credentials, which creates a dependency on credential compromise or phishing.
What to do: (1) Audit administrative account access logs for EPMM in the past 30 days. (2) Rotate admin credentials immediately. (3) Enforce MFA on all administrative accounts—this is defense in depth. (4) Review account privilege: disable unnecessary admin accounts and follow principle of least privilege. (5) Check if your EPMM instance is exposed online using Shodan; if so, restrict access to trusted networks.
How did DoD contractors expose military training data via API flaws?
What happened: An open-source security testing project (Stricks) discovered that Schemata, an AI-powered military training platform used by US Defense Department contractors, exposed user records, military training materials, and course metadata through improperly secured API endpoints. A low-privilege account could access data across multiple tenants, including names, emails, base assignments, and links to AWS-hosted documents.
Why it matters: Military personnel location data and training materials are sensitive. Exposure enables doxing, targeting, and information collection against active-duty service members. This demonstrates how third-party SaaS solutions handling classified or sensitive military data can introduce supply chain risk if APIs lack proper authorization checks.
What to do: If procuring or using third-party SaaS for sensitive data: mandate API security assessments as part of vendor evaluation. Conduct penetration testing of all customer-facing APIs before and periodically after deployment. Verify that authorization checks enforce proper multi-tenancy isolation. Require vendors to implement role-based access control (RBAC) on all endpoints.
Are Python packages and open-source software still trustworthy?
What happened: Beyond the Zia Chatbot malware, Kaspersky noted that Ocean Lotus (Vietnam-aligned actor) shares code similarities with the dropper, indicating nation-state involvement in PyPI supply chain poisoning.
Why it matters: Open-source and package repository attacks are now normalized threat vectors. Attackers can compromise software after an initial clean review period, injecting malicious functionality during later updates. This breaks the assumption that one-time code review is sufficient.
What to do: Monitor for open-source component updates; do not assume updates are safe without review. Implement Software Bill of Materials (SBOM) tracking. Use dependency scanning tools (e.g., Snyk, Dependabot) to flag suspicious activity. Isolate development environments from production. If using PyPI packages in production, consider dependency pinning and regular security audits.
Should I stop saving passwords in Microsoft Edge?
What happened: Norwegian security researcher Tom Jøran Sonai Sørter reported that Microsoft Edge loads saved passwords into process memory in plain text at startup, even when users are not visiting sites requiring those credentials. Microsoft confirmed this is by design, not a bug. Attackers with administrative access can dump process memory and extract all plaintext passwords.
Why it matters: Browser-based password storage introduces risk on shared systems, terminal servers, or devices where administrative access may be compromised. Defense in depth is impossible if credentials are stored unencrypted in memory without user consent or awareness.
What to do: Never save passwords in any browser. Use a dedicated password manager (e.g., 1Password, Bitwarden, LastPass) with encryption and secure vaults. Enforce this as policy for both users and developers. Implement password-less authentication where possible (Windows Hello, passkeys, biometrics). For existing password-based systems, enforce MFA and unique passwords per service to limit blast radius if one credential is compromised.
How is a new PCP Jack worm stealing cloud credentials and evicting other malware?
What happened: Sentinel Labs identified PCP Jack, a new malware framework targeting Docker, Kubernetes, Redis, MongoDB, and Ray ML services. It steals credentials from exposed cloud infrastructure and actively removes Team PCP's access to compromised systems. Analysts believe it was developed by a former Team PCP affiliate launching an independent operation.
Why it matters: PCP Jack demonstrates threat actor fragmentation and competition for compromised infrastructure. The malware prioritizes credential theft for financial fraud, spam, resale, and extortion. Its ability to detect and eject competing malware shows operational sophistication. Cloud exposure is now a primary attack surface for credential harvesting.
What to do: Audit all cloud services (Docker registries, Kubernetes clusters, databases) for public exposure; restrict access to private networks or VPN. Rotate all cloud credentials and API keys immediately. Implement network segmentation and least-privilege access. Monitor for unusual lateral movement and credential access patterns. Assume if infrastructure is internet-facing and unpatched, it may be compromised. Review cloud IAM policies and disable unnecessary service accounts.
Key takeaways
- Buffer overflow vulnerabilities remain actively exploited by nation-states; PAN-OS patch is critical path item this week.
- Russian cyber attacks on Polish water infrastructure signal escalating targeting of NATO allies' critical infrastructure in support of Ukraine operations.
- Cloud infrastructure (Docker, Kubernetes, databases) is now primary target for credential theft and lateral movement; assume public-facing instances are compromised.
- Supply chain attacks via package repositories and third-party SaaS are normalized; one-time code review is insufficient—continuous monitoring and API security testing required.
- Password-based authentication is breaking down under volume of compromises and sophisticated attacks; passwordless authentication, MFA, and credential uniqueness are baseline defensive posture.
Topics covered
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.