Panther is aware of and tracking a high-severity software supply chain vulnerability affecting the Linux library XZ Utils versions 5.6.0 and 5.6. The vulnerability has been assigned CVE-2024-3094, with a CVSS score of 10 indicating the highest possible severity score.
Background
The XZ Utils library is used for data compression on Unix/Linux operating systems. It is a command-line tool used to compress and decompress XY files. On March 29, 2024, a supply-chain compromise was discovered in the XZ package as malicious code that could provide a backdoor into systems through this utility. At this time, it is believed that only XZ Utils versions 5.6.0 and 5.6.1 are impacted.
It is too early to tell if the malicious code has been exploited, as the issue was just discovered, research is still ongoing, and more information will be made available by the security community in the coming days, we will update this page with more information as it is available. It is uncertain if the individual who made the code commits containing the malicious code is directly responsible or if their system or accounts have been compromised.
Is Panther Affected?
Panther’s security team has assessed the vulnerability, and at this time it does not impact the Panther platform. We will continue to evaluate the risk as more information is made available. It is also important to note that Amazon Web Services (AWS) states that its infrastructure is not impacted, as it does not utilize the XZ Utils library at all.
How to Identify if a System Is Affected
Most systems using the XS Utils library are running version 5.2 / 5.4, which are not affected, 5.6 is the compromised version. To identify if your system is impacted you can run “xz -V” on the command line to see what version you are running.
What if My System Has the Affected Version?
It is recommended that users downgrade their XZ Utils to the prior uncompromised version, such as XZ Utils 5.4.6 Stable. As the issue is still being investigated, there are currently no IoCs or specific guidance on what to look for to identify if a system has been exploited. If you identify a system with the affected version, extra vigilance should be applied to monitor those systems and hunt for signs of malicious activity. Panther is aware of and tracking a high-severity software supply chain vulnerability affecting the Linux library XZ Utils versions 5.6.0 and 5.6. The vulnerability has been assigned CVE-2024-3094, with a CVSS score of 10 indicating the highest possible severity score.
I’d like to introduce a comprehensive analysis by Ken Westin, Field CISO at Panther Labs in the blog post titled, “How North Korean Cybercrime Aids the Russian Military and Circumvents Sanctions.” It delves into an issue that simmers at the intersection of global geopolitics and cybersecurity. Through meticulous research, Panther Labs unveils a narrative that explores the intricate ways North Korean cybercrime supports the Russian military and skirts international sanctions.
In the shadows of international politics, a complex web of cybercrime, military aid, and sanctions evasion has emerged, with North Korea playing a pivotal role. Our investigation delves into how the DPRK’s elite hacking group, The Lazarus Group, has pilfered billions in cryptocurrencies to fund military operations and aid allies, notably Russia, in their geopolitical endeavors.
Key highlights include:
An analysis of North Korea’s latest $23 million laundering operation through Tornado Cash, as part of a broader $3 billion crypto theft spree.
Insights into the DPRK’s munitions shipments to Russia, bolstering the latter’s military capabilities against Ukraine, in exchange for vital resources.
A deep dive into the sophisticated techniques employed by The Lazarus Group to execute their heists and evade international sanctions.
This story is more than a cybersecurity issue; it’s a glimpse into the future of warfare, international relations, and the global economy, shaped by the invisible hands of cybercriminals.
You may know the classic Eagle’s song “Hotel California,” about greed and excess in America with the final lyrics, “You can check out any time you like, but you can never leave!”
Yeah, I am an old timer, and I was listening to this track lately, and it hit me how many security vendors have a “Hotel Califonia” business model. Not only do security vendors try to lock customers into increasingly expensive licensing, but they also make it challenging to integrate with other tools within the security ecosystem, requiring additional tools with different licensing if they provide integrations with other tools at all. Here are a few things to watch out for when selecting a SIEM to ensure it’s not a Hotel California where you can never leave.
Beware the SIEM Ransomware Business Model
One way some SIEM vendors get their foot in the door with a new account is to offer an “all-you-can-eat” license for data ingest. The idea here is that the vendor provides an amazing deal to consume as much data into their SIEM as they want for a long time, usually three years. The vendor will then help onboard data across multiple organizations within a company and ensure that the organization becomes heavily dependent on this tool.
The trick is that this is often a one-time deal rather than something that can be renewed. The customer is then hit with sticker shock when their sales rep provides a “true-up” license renewal based on the data they are ingesting. The vendor then feels they can hold the customer’s security data for ransom if they don’t pay the higher license cost; you have to reduce the amount of data you ingest or switch to a different SIEM. Vendors are aware both of these prospects are painful endeavors and not something that can be done overnight and will require the customer to pay at least another year of licensing before they can migrate.
Leveraging a SIEM that can decouple the detection engine and ingest from the Security Data Lake helps organizations not be held hostage by a single vendor. Being able to filter data is critically important for a SIEM, mainly if that SIEM’s pricing model is based on data ingest volume. Being able to filter, redirect, or bifurcate data based on various parameters is critical to a modern SIEM architecture.
Getting Data In and Out
One challenge I have seen with customers leveraging SIEM tools provided by cloud platforms is that they, by design, need to play better with others. Trying to ingest logs from another cloud platform, for example, can be quite painful to get working, as data egress methods differ across platforms. The ingest of external data often comes with a higher price tag where you are often double dipped, one by the vendor for data egress and again by the SIEM platform for data ingest.
Getting data in is one challenge, but also getting data out, whether it is to export to a different platform, can be a challenge, notably when the SIEM leverages a proprietary storage format; if you want to convert the data to another format, there are often additional costs associated with this process.
The ability to send alerts to multiple destinations, not just within the SIEM, has become critically important to modern SIEM use cases. Panther is unique in the SIEM space for providing multiple methods out-of-the-box to send alerts to various collaboration tools such as Jira, Slack, GitHub and even integrates with other SIEMs such as Splunk. In addition to out-of-the-box alert destinations, Panther also provides custom webhooks to send to internal tools and applications. Empowering detection engineers also to send alerts to different destinations depending on the data source, severity, or even within the logic of their detection puts the power of SIEM into the hands of detection engineers.
More Use Cases Often Means More Money
Another trap many security vendors lay for their customers with “surprise pricing” is to nickel and dime them on use cases. For one SIEM vendor, you may pay one price for data ingest and basic search capabilities. Still, suppose you want their security features for correlation rules, risk-based alerting, anomaly detection, and other use cases. In that case, there is an additional premium that you will need to pay, whether a percentage of the ingest price, a completely different licensing model based on company size, or other strange calculus.
Many SIEMs also operate on a “black box” model when it comes to their detections, where the customer can’t see the actual logic; this becomes problematic in many cases as the customer has a difficult time tuning false positives and may not provide the context to identify the source of a given threat. Leveraging modern approaches to managing detections, such as detection-as-code, provides not only open access to detection logic but also provides detection engineers a platform to develop and manage detections more efficiently.
Modern SIEMs Provide Flexibility and Integrate with the Security Ecosystem
Modern SIEMs need to be able to integrate any data source regardless of the platform, even if it is a competing tool. Security leaders are tired of vendor lock-in and want to be able to pick the best-of-breed when it comes to their tools. Ingesting data from any source and filtering only relevant fields has become a critical capability for modern SIEMs. Storing this data for long-term searchable retention well beyond 90 days is also becoming increasingly important; at Panther, we provide one year of data retention with high-performance search for threat hunting, investigations, and dashboarding. Panther also allows sending alerts to any destination, whether it is a ticketing system, collaborative tool, another SIEM, or a custom webhook. When your SIEM provides flexibility and plays nicely with your existing tools, you may never WANT to leave.
Panther Labs announced today that it has achieved Amazon Web Services (AWS) Security Competency status. This designation recognizes that Panther has demonstrated proven technology and deep expertise that helps customers achieve their cloud security goals.
Achieving the AWS Security Competency differentiates Panther as an AWS Partner Network (APN) member that provides specialized software designed to help enterprises adopt, develop and deploy complex security projects on AWS. To receive the designation, AWS Partners must possess deep AWS expertise and experience and deliver solutions seamlessly on AWS.
AWS is enabling scalable, flexible, and cost-effective solutions from startups to global enterprises. To support the seamless integration and deployment of these solutions, AWS established the AWS Competency Program to help customers identify AWS Partners with deep industry experience and expertise.
Panther Labs is a cybersecurity company building the future of Detection and Response for the cloud-native era. Panther’s advanced data lake architecture, Detection-as-Code workflows, and intelligent correlation capabilities enable organizations to derive security signal from high-scale security data to rapidly detect and respond to threats. From startups to global enterprises, Panther’s mission is to help security teams move faster than the most advanced attackers. For more information about Panther, please visit www.panther.com or follow on X @runpanther.
Panther Labs today announced its recognition in Built In’s 2024 Best Places To Work Awards. This prestigious accolade highlights Panther Labs’ commitment to creating an outstanding work environment.
Demonstrating an unwavering commitment to cultivating a superior work environment, Panther Labs has been distinguished in several categories, reflecting its versatility and excellence in fostering a supportive and dynamic workplace. The company has earned esteemed positions in the following categories:
U.S. Best Places to Work
U.S. Best Midsize Places to Work
San Francisco, CA Best Places to Work
San Francisco, CA Best Midsize Places to Work
Remote Best Places to Work
Remote Best Midsize Places to Work
The annual awards program includes companies of all sizes, from startups to those in the enterprise, and honors both remote-first employers as well as companies in large tech markets across the U.S.
Built In determines the winners of Best Places to Work based on an algorithm, using company data about compensation and benefits. To reflect the benefits candidates are searching for more frequently on Built In, the program also weighs criteria like remote and flexible work opportunities, programs for DEI and other people-first cultural offerings.
As organizations race to implement machine learning capabilities, they’re increasingly reliant on decentralized, cloud-based data stores and workflows to power the development of new software, such as AI tools. These workflows magnify security challenges, with organizations continuing to report severe security incidents due to cloud misconfigurations, especially in public cloud environments.
The enhancements Panther is launching today will redefine security detection, analysis, and response for the cloud-first, AI-powered future. By combining the economic efficiency of modern security data lakes with the familiarity of traditional SIEM interfaces, Panther will enable security teams to more easily identify and respond to threats, hardening their security posture for decentralized, high-scale cloud workflows.
Panther’s Security Data Lake Search is the industry’s first search experience designed to capitalize on the efficiency and performance of modern data lakes. With traditional solutions, high-volume log sources are too costly and unwieldy to ingest and search at scale, forcing organizations to choose between cost and performance. With Panther’s Security Data Lake Search, security teams can harness the full potential of mission-critical cloud logs in their detection and investigation workflows, with deployment options that reduce total cost of ownership (TCO) and maximize ROI. These enhancements offer unparalleled search performance across vast data lakes, without relying on SQL, enabling fast, efficient investigations.
Panther’s Splunk Integration combines Panther’s industry-leading, cloud-native detection capabilities with Splunk’s extensive analytics platform, giving organizations enhanced visibility of critical cloud workflows. By using Panther’s real-time detections on streaming cloud logs and configuring Splunk as an alert destination, security teams are empowered to implement rapid, cloud-scale detection and response workflows.
Together, Panther’s Security Data Lake Search and Splunk Integration unlock the full potential of high-volume, high-value cloud log streaming data. With cloud-native search capabilities and high-performance detections built on existing Splunk infrastructure, security teams can now ingest all of their logs and operate with the agility necessary to drive better security outcomes.
Panther has demonstrated significant value for a wide range of enterprise customers, with an average reduction in TCO by over 50%. As security risks from cloud-based workflows continue to escalate, Panther’s platform is crucial for organizations aiming to bolster their compliance and reduce risk exposure efficiently.
To learn more about Panther’s new Security Data Lake Search and Splunk Integration, visit https://panther.com.
Panther Labs, the leading cybersecurity innovator for detection and response at scale, today announced the launch of its new Security Data Lake Search and Splunk Integration capabilities. These offerings mark a critical leap forward in managing security risks in today’s cloud-first landscape.
As organizations race to implement machine learning capabilities, they’re increasingly reliant on decentralized, cloud-based data stores and workflows that power the development of new AI tools. These workflows magnify security challenges, with organizations continuing to report severe security incidents due to cloud misconfigurations, especially in public cloud environments.
The enhancements Panther is launching today will redefine security detection, analysis, and response for the cloud-first, AI era. By combining the economic efficiency of modern security data lakes with the familiarity of traditional SIEM interfaces, Panther will enable security teams to more easily identify and respond to threats, hardening their security posture for decentralized, high-scale cloud workflows.
Panther’s Security Data Lake Search is the industry’s first search experience designed to capitalize on the efficiency and performance of modern data lakes. With traditional solutions, high-volume log sources are too costly and unwieldy to ingest and search at scale, forcing organizations to choose between cost and performance. With Panther’s Security Data Lake Search, security teams can harness the full potential of mission-critical cloud logs in their detection and investigation workflows, with deployment options that reduce total cost of ownership (TCO) and maximize ROI. These enhancements offer unparalleled search performance across vast data lakes, without relying on SQL, enabling fast, efficient investigations.
Panther’s Splunk Integration combines Panther’s industry-leading, cloud-native detection capabilities with Splunk’s extensive analytics platform, giving organizations enhanced visibility of critical cloud workflows. By using Panther’s real-time detections on streaming cloud logs and configuring Splunk as an alert destination, security teams are empowered to implement rapid, cloud-scale detection and response workflows.
Together, Panther’s Security Data Lake Search and Splunk Integration unlock the full potential of high-volume, high-value cloud log streaming data. With cloud-native search capabilities and high-performance detections built on existing Splunk infrastructure, security teams can now ingest all of their logs and operate with the agility necessary to drive better security outcomes.
Panther has demonstrated significant value for a wide range of enterprise customers, with an average reduction in TCO by over 50%. As security risks from cloud-based workflows continue to escalate, Panther’s platform is crucial for organizations aiming to bolster their compliance and reduce risk exposure efficiently.
Panther Labs Advisory: CVE-2024-3094 – Linux Supply Chain Compromise Affecting XZ Utils Data Compression Library
Posted in Commentary with tags Panther Labs on March 30, 2024 by itnerdPanther is aware of and tracking a high-severity software supply chain vulnerability affecting the Linux library XZ Utils versions 5.6.0 and 5.6. The vulnerability has been assigned CVE-2024-3094, with a CVSS score of 10 indicating the highest possible severity score.
Background
The XZ Utils library is used for data compression on Unix/Linux operating systems. It is a command-line tool used to compress and decompress XY files. On March 29, 2024, a supply-chain compromise was discovered in the XZ package as malicious code that could provide a backdoor into systems through this utility. At this time, it is believed that only XZ Utils versions 5.6.0 and 5.6.1 are impacted.
It is too early to tell if the malicious code has been exploited, as the issue was just discovered, research is still ongoing, and more information will be made available by the security community in the coming days, we will update this page with more information as it is available. It is uncertain if the individual who made the code commits containing the malicious code is directly responsible or if their system or accounts have been compromised.
Is Panther Affected?
Panther’s security team has assessed the vulnerability, and at this time it does not impact the Panther platform. We will continue to evaluate the risk as more information is made available. It is also important to note that Amazon Web Services (AWS) states that its infrastructure is not impacted, as it does not utilize the XZ Utils library at all.
How to Identify if a System Is Affected
Most systems using the XS Utils library are running version 5.2 / 5.4, which are not affected, 5.6 is the compromised version. To identify if your system is impacted you can run “xz -V” on the command line to see what version you are running.
What if My System Has the Affected Version?
It is recommended that users downgrade their XZ Utils to the prior uncompromised version, such as XZ Utils 5.4.6 Stable. As the issue is still being investigated, there are currently no IoCs or specific guidance on what to look for to identify if a system has been exploited. If you identify a system with the affected version, extra vigilance should be applied to monitor those systems and hunt for signs of malicious activity. Panther is aware of and tracking a high-severity software supply chain vulnerability affecting the Linux library XZ Utils versions 5.6.0 and 5.6. The vulnerability has been assigned CVE-2024-3094, with a CVSS score of 10 indicating the highest possible severity score.
Leave a comment »