All news with #palo alto networks tag

CISA Orders Federal Patch for Samsung Zero‑Day Spyware

🔒 CISA has ordered U.S. federal agencies to patch a critical Samsung vulnerability, CVE-2025-21042, which has been exploited to deploy LandFall spyware via malicious DNG images sent over WhatsApp. The flaw is an out-of-bounds write in libimagecodec.quram.so affecting devices on Android 13 and later; Samsung issued a patch in April after reports from Meta and WhatsApp security teams. CISA added the bug to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by December 1 under BOD 22-01. The spyware can exfiltrate data, record audio, and track location.

Data Security Posture Management: Top DSPM Tools Reviewed

🛡️ Data Security Posture Management (DSPM) tools help organizations discover, classify and manage sensitive data across dynamic cloud environments. They focus on locating "shadow data" in known and unknown repositories and typically collect metadata via agentless or API-based scans to avoid moving raw data. DSPM dashboards catalog findings, map lineage and assess compliance, while remediation often integrates with SOAR, SIEM or CNAPP solutions. Many vendors now combine discovery with some automated "fix it" capabilities to streamline response.

Addressing the AI Black Box with Prisma AIRS 2.0 Platform

🔒 Prisma AIRS 2.0 presents a unified AI security platform that addresses the “AI black box” by combining AI Model Security and automated AI Red Teaming. It inventories models, inference datasets, applications and agents in real time, inspects model artifacts within CI/CD and model registries, and conducts continuous, context-aware adversarial testing. The platform integrates curated threat intelligence and governance mappings to deliver auditable risk scores and prioritized remediation guidance for enterprise teams.

Prisma SASE: A Blueprint for Modern Branch Security

🔒 Prisma SASE positions Prisma SD‑WAN and Prisma Access as a unified blueprint for securing modern branch offices, embedding zero trust and local enforcement into the branch edge. It emphasizes identity‑aware controls (User‑ID, Device‑ID, App‑ID), automated IoT discovery and on‑box protections like URL filtering and DNS security to reduce appliance sprawl and contain lateral movement. By pairing on‑device enforcement with cloud services and centralized management via Strata Cloud Manager, the solution aims to simplify operations, maintain consistent policies and keep defenses up to date across distributed locations.

Nation-State Airstalk Malware Uses AirWatch via API

🛡️ Palo Alto Networks Unit 42 linked a suspected nation-state cluster (CL-STA-1009) to a new backdoor named Airstalk that abuses the AirWatch API (now Workspace ONE Unified Endpoint Management) as a covert command-and-control channel. The malware appears in PowerShell and more capable .NET variants and can capture screenshots, harvest browser cookies, history and bookmarks, and enumerate user files. Airstalk misuses MDM custom attributes as a dead-drop resolver and leverages the API blobs feature to exfiltrate large artifacts; some .NET samples were signed with a likely stolen certificate.

Securing the AI Factory: Palo Alto Networks and NVIDIA

🔒 Palo Alto Networks outlines a platform-centric approach to protect the enterprise AI Factory, announcing integration of Prisma AIRS with NVIDIA BlueField DPUs. The collaboration embeds distributed zero-trust security directly into infrastructure, delivering agentless, penalty-free runtime protection and real-time workload threat detection. Validated on NVIDIA RTX PRO Server and optimized for BlueField‑3, with BlueField‑4 forthcoming, the solution ties into Strata Cloud Manager and Cortex for end-to-end visibility and control, aiming to secure AI operations at scale without compromising performance.

AI-Powered, Quantum-Ready Network Security Platform

🔒 Palo Alto Networks presents a unified, AI-driven approach to network security that consolidates browser, AI, and quantum defenses into the Strata Network Security Platform. New offerings include Prisma Browser, a SASE-native secure browser that blocks evasive attacks and brings LLM-augmented data classification to the endpoint, and Prisma AIRS 2.0, a full-lifecycle AI security platform. The company also outlines a pragmatic path to quantum-readiness and centralizes control with Strata Cloud Manager to simplify operations across hybrid environments.

Prisma AIRS 2.0: Unified Platform for Secure AI Agents

🔒 Prisma AIRS 2.0 is a unified AI security platform that delivers end-to-end visibility, risk assessment and automated defenses across agents, models and development pipelines. It consolidates Protect AI capabilities to provide posture and runtime protections for AI agents, model scanning and API-first controls for MLOps. The platform also offers continuous, autonomous red teaming and a managed MCP Server to embed threat detection into workflows.

Cortex AgentiX: Agentic AI Platform for Autonomous SOC

🤖 Palo Alto Networks introduces Cortex AgentiX, an agentic AI platform designed to build, deploy and govern autonomous security and IT agents. The vendor says AgentiX extends the Cortex foundation and leverages 1.2 billion playbook executions to deliver end-to-end agentic workflows and drive up to a 98% reduction in Mean Time to Respond with 75% less manual work. It ships with prebuilt agents for threat intelligence, email, endpoint, network, cloud and IT, and highlights full transparency, role-based controls and human-in-the-loop approvals. AgentiX is embedded in Cortex XSIAM and Cortex Cloud today; a standalone platform and Cortex XDR integration are slated for early 2026.

Move Beyond the SOC: Adopt a Risk Operations Center

📡 The Resilience Risk Operations Center (ROC) reframes cyber defense by fusing technical, business and financial intelligence into a single operating environment. Rather than relying solely on a traditional SOC that reacts to alerts, the ROC prioritizes threats using actuarial and claims data to show potential financial impact and guide urgent decisions. Inspired by the US Air Force AOC, it co-locates multidisciplinary experts to anticipate attacks and accelerate response. Early use, including response to an April 2024 VPN zero-day, showed faster mitigation and reduced losses.

CASB Buying Guide: Key Capabilities, Vendors, and Questions

🔒 A Cloud Access Security Broker (CASB) sits between enterprise endpoints and cloud services to deliver visibility, enforce access controls and detect threats. This guide summarizes core CASB functions — visibility, control, data protection and compliance — and contrasts deployment modes (API vs proxy). It profiles major vendors such as Netskope, Microsoft Defender for Cloud Apps, Palo Alto Networks and others, and presents 16 practical questions to assess internal readiness and evaluate providers against SSE/SASE roadmaps.

Scattered LAPSUS$ Hunters Shift to Extortion-as-Service

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."

Vendor and Hyperscaler Watch: Attack Surface Tools

🔎 Cyber asset attack surface management (CAASM) and external ASM (EASM) solutions help organizations discover and continuously monitor internet-facing assets to reduce exposure and harden security. The article surveys a dozen commercial offerings — including Axonius, CrowdStrike Falcon Exposure, Microsoft Defender EASM, and Palo Alto Cortex Xpanse — highlighting discovery methods, integrations, AI features, and sample pricing. It stresses continuous monitoring, asset context and prioritization, and recommends vetting vendor automation, remediation workflows, and pricing transparency.

Legacy Flaws in Network Edge Devices Threaten Orgs Today

🔒 Enterprises' network edge devices — firewalls, VPNs, routers, and email gateways — are increasingly being exploited due to longstanding 1990s‑era flaws such as buffer overflows, command and SQL injections. Researchers tracked dozens of zero‑day exploits in 2024 and continuing into 2025 that affected vendors including Fortinet, Palo Alto Networks, Cisco, Ivanti, and others. These appliances are attractive targets because they are remotely accessible, often lack endpoint protections and centralized logging, and hold privileged credentials, making them common initial access vectors for state‑affiliated actors and ransomware groups.

Hackers Inject Redirecting JavaScript via WordPress Themes

🔒 Security researchers warn of an active campaign that modifies WordPress theme files (notably functions.php) to inject malicious JavaScript that redirects visitors to fraudulent verification and malware distribution pages. The injected loader uses obfuscated references to advertising services but posts to a controller domain that serves a remote script from porsasystem[.]com and an iframe mimicking Cloudflare assets. The activity has ties to the Kongtuke traffic distribution system and highlights the need to patch themes, enforce strong credentials, and scan for persistent backdoors.

Palo Alto Login Portal Scanning Spikes 500% Globally

🔍 Security researchers observed a roughly 500% surge in reconnaissance activity targeting Palo Alto Networks login portals on October 3, when GreyNoise recorded about 1,300 unique IP addresses probing its Palo Alto Networks Login Scanner tag versus typical daily volumes under 200. Approximately 91% of the IPs were US-based and 93% were classed as suspicious, with 7% confirmed malicious. GreyNoise also reported parallel scanning of other remote-access products including Cisco ASA, SonicWall, Ivanti and Pulse Secure, and noted shared TLS fingerprinting and regional clustering tied to infrastructure in the Netherlands. Analysts will continue monitoring for any subsequent vulnerability disclosures.

Surge in Scans Targeting Palo Alto Network Login Portals

🔍 GreyNoise has observed a roughly 500% rise in IP addresses scanning Palo Alto Networks login portals, primarily emulating GlobalProtect and PAN-OS profiles. Activity peaked on October 3 with more than 1,285 unique IPs—typical daily scans are usually under 200—while most sources were geolocated to the United States with smaller clusters in the UK, Netherlands, Canada, and Russia. GreyNoise classified 91% of the IPs as suspicious and 7% as malicious, noting clusters with distinct TLS fingerprints and warning this reconnaissance could precede exploitation attempts; administrators should verify device exposure and monitoring.

Spike in Scanning Targets Palo Alto Login Portals Globally

🔍 GreyNoise observed a nearly 500% surge in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, jumping from about 200 to roughly 1,300 unique IPs. The firm classified 93% of those IPs as suspicious and 7% as malicious, with most activity geolocated to the U.S. and smaller clusters in the U.K., the Netherlands, Canada and Russia. GreyNoise noted the traffic was targeted and structured and shared a dominant TLS fingerprint with recent Cisco ASA scans.

Case for Multidomain Visibility and Unified Response in SOCs

🔍 The 2025 Unit 42 Global Incident Response Report shows that 84% of investigated incidents involved activity across multiple attack fronts and 70% spanned at least three vectors, underscoring coordinated, multidomain campaigns. Attackers move laterally across cloud, SaaS, IT and OT, exploiting identities, misconfigurations and vulnerabilities. The report recommends unified telemetry, AI-driven behavioral analytics and stronger identity controls to improve detection and accelerate response.

TOTOLINK X6000R Router: Multiple Firmware Vulnerabilities

⚠️ TOTOLINK X6000R routers running firmware V9.4.0cu.1360_B20241207 contain three vulnerabilities that enable argument injection, unauthenticated command execution, and sanitization bypasses leading to file corruption or persistent denial-of-service. The most severe, CVE-2025-52906, is an unauthenticated command injection rated Critical (CVSS 9.3). TOTOLINK has released updated firmware and users should apply the patch immediately while defenders use device visibility and threat prevention to detect exploitation.