Palo Alto Networks PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Palo Alto Networks has released workaround guidance for CVE-2024-3400 affecting PAN-OS versions 10.2, 11.0, and 11.1. Palo Alto Networks has reported active exploitation of this vulnerability in the wild. 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Palo Alto Networks Security Advisory, apply the current mitigations, and update the affected software when Palo Alto Networks makes the fixes available. Additionally, CISA has also added this vulnerability to its  Known Exploited Vulnerabilities Catalog.

Microsoft.Source Developer Newsletter

Featured
ArticleGet Started with Evaluating Answers in a Chat App >After creating a chat application, developers should ensure it’s delivering high-quality answers to customers.This article demonstrates how to evaluate a chat app’s answers against a set of correct or ideal answers.
What’s New
BlogReal-time Translation Using the azure_ai Extension >Learn how to use the new text translation capabilities of the azure_ai extension on Azure Database for PostgreSQL. (in English)
BlogDev Proxy v0.15, Now Available >Review the new features of Dev Proxy v0.15 that allow you to spend more time building your application. (in English)
BlogAI in action: 5 Popular AI Apps You Can Build on Azure >Build your own copilot. Process transactions at scale. Detect Fraud. Create a recommendations engine Learn how to build all these AI-powered apps.
Events
Microsoft Build / May 21 – 23 / Seattle >Learn from experts, get hands-on with AI, and make connections with peers, Microsoft engineers, and industry leaders.
POSETTE: An Event for Postgres 2024 / June 11-13 >Join us for 4 unique livestreams to hear from open source users, Azure database customers, and experts in PostgreSQL and Citus.
Azure Cosmos DB Conf / On Demand >Catch up on all the streamed sessions and exclusive bonus content.
PyCon US May 17-19 / Pittsburgh and Online >Register for three days’ worth of the Python community’s best talks, amazing keynote speakers, and our famed lightning talks to close out each day.
Microsoft AI TourMicrosoft AI Tour / Multiple Cities >Learn what developers need to know about AI today and explore new paths forward in your organization and career.
Learning
Learning PathLearn Cloud-Native Development >Create independently deployable, highly scalable, and resilient services using .NET.
Learning PathCreate Reusable Customizations in Microsoft Dev Box >
Use Copilot to Write .NET MAUI Apps >Discover how Copilot can help you build an app and learn how it works within the context of your code.

Deadline Approaching! Apply for Cybersecurity Education and Workforce Development Funding Today

The deadline is approaching to submit proposals in response to NIST’s Notice of Funding Opportunity (NOFO) to support Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development. The funding expands the existing RAMPS program* and anticipates awarding an additional fifteen awards of up to $200,000 through cooperative agreements.

As part of the Department of Commerce’s Principles for Highly Effective Workforce Investments and Good Jobs Principles, RAMPS will support the NIST-led NICE program. Effective partnerships will focus on bringing together employers and educators to focus on developing the skilled and diverse workforce to meet industry needs within a local or regional economy. 

Applicants must demonstrate through letters of commitment that, in addition to the applicant, at least one of each of the following types of organizations is committed to being part of the proposed regional alliance:

  • at least one institution of higher education or nonprofit training organization, and
  • at least one local employer or owner or operator of critical infrastructure.

Deadline to apply: May 24, 2024

More information about the RAMPS NOFO may be found in the recording of the webinar for interested applicants and an FAQ

View this Funding Opportunity on Grants.gov

NIST Seeks Comments on Draft AI Guidance Documents, Announces Launch of New Program to Evaluate and Measure GenAI Technologies

The National Institute of Standards and Technology (NIST) has released four draft publications intended to help improve the safety, security and trustworthiness of artificial intelligence (AI) systems. All are part of the agency’s response to Executive Order 14110 on the Safe, Secure and Trustworthy Development of AI. Comments on each draft are requested by June 2, 2024. NIST has also launched a challenge series that will support development of methods to distinguish between content produced by humans and content produced by AI.

The publications cover varied aspects of AI technology: The first two are guidance documents designed to help manage the risks of generative AI — the technology that enables chatbots and text-based image and video creation tools — and serve as companion resources to NIST’s AI Risk Management Framework (AI RMF) and Secure Software Development Framework (SSDF), respectively. A third offers approaches for promoting transparency in digital content, which AI can generate or alter; the fourth proposes a plan for global engagement for development of AI standards.

  • NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
  • NIST SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models
  • NIST AI 100-4, Reducing Risks Posed by Synthetic Content: An Overview of Technical Approaches to Digital Content Transparency
  • NIST AI 100-5, A Plan for Global Engagement on AI Standards

Drafts of NIST AI 600-1, NIST AI 100-5 and NIST AI 100-4 are available for review and comment on the NIST Artificial Intelligence Resource Center website; and the draft of NIST SP 800-218A is available for review and comment on the NIST Computer Security Resource Center website.

NIST GenAI Challenge

In addition to the four documents, NIST is also announcing NIST GenAI Challenge, a new program to evaluate and measure generative AI technologies. The program is part of NIST’s response to the Executive Order, and its efforts will help inform the work of the U.S. AI Safety Institute at NIST.

The NIST GenAI program will issue a series of challenge problems designed to evaluate and measure the capabilities and limitations of generative AI technologies. These evaluations will be used to identify strategies to promote information integrity and guide the safe and responsible use of digital content. One of the program’s goals is to help people determine whether a human or an AI produced a given text, image, video or audio recording. Registration opens in May for participation in the pilot evaluation, which will seek to understand how human-produced content differs from synthetic content. More information about the challenge and how to register can be found on the NIST GenAI website.

Read News Release

Join us at Empower Everyone to Build Apps training day

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Power Platform Virtual Training Day from Microsoft Learn. Join us at Empower Everyone to Build Apps to see how to build and test model-driven and canvas apps with Power Apps. You’ll explore how to store and manage data for your apps with Microsoft Dataverse and learn how to customize applications for your business. You’ll also understand how to expedite development and create intelligent apps with AI-powered capabilities. You will have the opportunity to: Gain the knowledge to build applications with low-code tools. Understand how to simplify app development with Power Apps. Discover how to build an app through natural language processing with copilot assistance. Jump-start preparation for the Microsoft Power Platform App Maker Associate certification exam. Join us at an upcoming Empower Everyone to Build Apps event:
May 07, 2024 | 12:00 PM -3:00 PM | (GMT-05:00) Eastern Time (US & Canada)


Delivery Language: English
Closed Captioning Language(s): English
 
REGISTER TODAY >

NIST Plans to Update NIST IR 7621, Rev. 1 | Small Business Information Security: The Fundamentals

NIST plans to update NIST IR 7621 Rev. 1, Small Business Information Security: The Fundamentals and is issuing this Pre-Draft Call for Comments to solicit feedback. The public is invited to provide input by 12:00 p.m. ET on May 16, 2024. 

Details

Since NIST IR 7621 Revision 1 was published in November of 2016, NIST has developed new frameworks for cybersecurity and risk management and released major updates to critical resources and references. This revision will focus on clarifying the publication’s audience, making the document more user-friendly, aligning with other NIST guidance, updating the narrative with current approaches to cybersecurity risk management, and updating appendices. Before revising, NIST invites the public to suggest changes that would improve the document’s effectiveness, relevance, and general use to better help the small business community understand and manage their cybersecurity risk.

NIST welcomes feedback and input on any aspect of NIST IR 7621 and additionally proposes a list of non-exhaustive questions and topics for consideration:

  • How have you used or referenced NIST IR 7621?
  • What specific topics in NIST IR 7621 are most useful to you?
  • What challenges have you faced in applying the guidance in NIST IR 7621?
  • Is the document’s current level of specificity appropriate, too detailed, or too general? If the level of specificity is not appropriate, how can it be improved?
  • How can NIST improve the alignment between NIST IR 7621 and other frameworks and publications?
  • What new cybersecurity capabilities, challenges, or topics should be addressed?
  • What topics or sections currently in the document are out of scope, no longer relevant, or better addressed elsewhere?
  • Are there other substantive suggestions that would improve the document?
  • Are there additional appendices in NIST IR 7621, or resources outside NIST IR 7621, that would add value to the document?

Submit Comments

Read More

Cybersecurity Framework 2.0 Community Profiles NCCoE Webinar

Join the National Cybersecurity Center of Excellence (NCCoE) for a Community Profiles Webinar on April 23rd, 2024, at 2:00 p.m. ET to discuss guidance and considerations for creating and using Community Profiles to implement the NIST Cybersecurity Framework (CSF) 2.0.

During this webinar, the presenters will:

  1. Provide an overview of the NIST CSF 2.0
  2. Introduce the NCCoE Framework Resource Center (FRC)
  3. Discuss the Cyber Risk Institute (CRI) approach to updating the CRI Profile for the Financial Sector from CSF v1.1 to 2.0
  4. Discuss the NIST Cybersecurity White Paper (CSWP) 32 Initial Public Draft: A Guide to Creating Community Profiles
  5. Provide time for Q&A

Submit Comments for NIST Cybersecurity White Paper 32

The public comment period on the NIST CSWP 32 Initial Public Draft: A Guide to Creating Community Profiles closes at 11:59 p.m. ET on May 3, 2024. Please email all draft comments to [email protected].

We encourage you to submit all feedback using the comment template found on our project page.

Register Now

#StopRansomware: Akira Ransomware

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this Joint Cybersecurity Advisory to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations as recently as February 2024 and trusted third party reporting.
Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, the ransomware group has impacted over 250 organizations and claimed approximately $42 million USD in ransomware proceeds.
Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.
The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of ransomware incidents.

Unpaid Road Toll SMiShing Scams

The FBI released a public service announcement warning of an uptick in unpaid road toll SMiShing scams. Since the scams started in early March 2024, over 2,000 complaints have been made to the FBI from at least three states, and it appears to be moving from state to state, including New Jersey, New York, and Pennsylvania. On April 12,  the New Jersey Turnpike Authority issued a statement alerting drivers that the scam had begun to target drivers throughout the state.
The fraudulent SMS text messages contain almost identical language, including a similar amount owed for the “outstanding toll amount.” However, threat actors impersonate the target state’s toll service name and change the sender’s phone number and link in the message depending on the state. This social engineering attack appears to be an attempt to trick users into providing personal and financial information.
Recommendations
Avoid clicking links, responding to, or otherwise acting on unsolicited text messages. Confirm requests from senders via contact information obtained from verified and official sources. Type official website URLs into browsers manually. Report SMiShing to the FTC, FBI’s IC3, and NJCCIC, and forward the message to 7726 (SPAM).

Upcoming NICE Webinars: Reintegrating Justice-Involved Individuals into Cybersecurity & Equity Strategies in Youth Apprenticeships!

Synopsis Join us during Second Chance Month to discuss the challenges and opportunities of the reintegration of justice-involved individuals into the workforce. We will emphasize the resilience, redemption, and the transformative power of second chances in the world of digital security. This webinar will explore the journey of justice-involved individuals re-entering the workforce, specifically in the field of cybersecurity; it seeks to foster supportive dialogue and shed light on justice-involved individuals who will contribute to positive change as the NICE community works together to provide individuals with a pathway to employment in a cybersecurity-related career.
Register Here