Trending
ee-track">
Link copied!

Cyble Sensors Detect Attacks on Apache OFBiz, Palo Alto Networks

Attack attempts on Palo Alto PAN-OS, and the Apache OFBiz ERP system was among recent threat actor campaigns detected by Cyble honeypots.

February 3, 2025 · 3 min read
Cyble Sensors Detect Attacks on Apache OFBiz, Palo Alto Networks

Overview

Cyble honeypot sensors have detected new attack attempts on vulnerabilities in Palo Alto Networks’ web management interface and the Apache OFBiz ERP system, among dozens of other exploits picked up by Cyble sensors.

Cyble’s recent sensor intelligence report to clients examined more than 30 vulnerabilities under active exploitation by hackers and also looked at persistent attacks against Linux systems and network and IoT devices. Threat actors continue to scan for vulnerable devices for ransomware attacks and add to botnets for DDoS attacks and crypto mining.

The full reports also looked at banking malware, brute-force attacks, vulnerable ports, and phishing campaigns.

Palo Alto Networks Vulnerabilities Targeted

Cyble sensors detected attacks attempting to exploit an OS Command Injection vulnerability in the Palo Alto Networks PAN-OS management web interface.

The vulnerability, CVE-2024-9474, could be used by hackers to escalate privileges in PAN-OS. It could allow attackers who can access the PAN-OS management web interface to perform actions on the firewall with root privileges.

Palo Alto Networks issued an alert in November that CVE-2024-9474 was being exploited in conjunction with a second vulnerability, CVE-2024-0012. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to the agency’s Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-0012 is an authentication bypass vulnerability in PAN-OS that enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. The Palo Alto alert said hackers could use CVE-2024-0012 to perform administrative actions, tamper with configurations, or exploit other authenticated privilege escalation vulnerabilities such as CVE-2024-9474.

Fixes for both vulnerabilities are available, and Palo Alto said users can further reduce risk by restricting access to the management interface to only trusted internal IP addresses to prevent external access from the internet, as recommended by the company’s best practice deployment guidelines. “The vast majority of firewalls already follow Palo Alto Networks and industry best practices,” Palo Alto said.

Critical Apache OFBiz Vulnerabilities Targeted

Threat actors have also recently targeted the Apache OFBiz enterprise resource planning (ERP) system, including vulnerabilities from 2024 and 2023.

CVE-2024-38856 affects Apache OFBiz up to version 18.12.14, allowing remote, unauthenticated attackers to execute arbitrary code. The vulnerability stems from incorrect authorization, where certain endpoints don’t properly check user permissions, potentially leading to unauthorized screen rendering and exploitation. Upgrading to version 18.12.15 is strongly recommended.

CVE-2024-38856 has also been exploited in conjunction with CVE-2024-36104, an Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability in Apache OFBiz before version 18.12.14.

CVE-2023-50968 is an arbitrary file properties reading vulnerability in Apache OFBiz that continues to attract hackers’ attention. The vulnerability occurs when a user operates a URI call without authorization, which could lead to a Server-Side Request Forgery (SSRF) attack. While upgrading to version 18.12.11 would patch that vulnerability, version 18.12.15 would be preferred because of the more recent vulnerabilities.

Cyble also noted that a number of other recent attack campaigns remain active, including exploits targeting CVE-2024-7593, a vulnerability in Ivanti Virtual Traffic Manager (vTM) that Cyble reported as being under attack last month.

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list).
  • Immediately patching all open vulnerabilities listed here and routinely monitoring the top Suricata alerts in internal networks.
  • Continually checking for attackers’ ASNs and IPs (included in the full Cyble reports).
  • Blocking Brute Force attack IPs and the targeted ports listed in the report.
  • Immediately resetting default usernames and passwords to mitigate brute-force attacks and enforcing periodic changes.
  • For servers, setting up strong passwords that are difficult to guess.

Conclusion

With nearly constant threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching quickly and applying mitigations where patching isn’t possible.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches.

To access full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here.

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams