Flash Notice: Zscaler Investigates Potential Data Breach Amid CVE-2024-2661 Warning

overview

This week, Zscaler announced that a critical vulnerability, named TunnelVision (CVE-2024-3661), has been found by Leviathan Security researchers in Dynamic Host Configuration Protocol (DHCP). CVE-2024-3661 allows attackers to intercept and monitor VPN traffic.  

TunnelVision operates by exploiting the DHCP option 121 to reroute VPN traffic through a rogue DHCP server on the local network. The attack is stealthy, so VPN users don't realize someone is snooping on their traffic. 

Although HTTPS traffic is largely unaffected, HTTP traffic becomes vulnerable, exposing user communications and destinations to potential eavesdropping. This vulnerability affects a wide range of operating systems, including Windows, Linux, macOS, and iOS.  

Coincidentally, a day after Zscaler issued a warning about CVE-2024-3661, they also alerted about a public post by a threat actor on X (formerly known as Twitter), who claimed to have obtained unauthorized information from a cybersecurity company. Upon investigation, Zscaler found a separate testing setup on a single server, which had no customer data but was exposed to the internet accidentally.  

According to Zscaler, this test setup wasn't part of Zscaler's infrastructure and had no connection to their operational systems. They've taken this setup offline for further investigation. Zscaler clarified that they haven't found any proof of any security breach or compromise in their systems. The company is keeping a close eye on the situation but hasn't confirmed if the incident is linked to CVE-2024-3661. 

avertium's recommendationS

• Zscaler recommends the following to organizations for CVE-2024-3661: 
  • Enable DHCP snooping, ARP protections, and port security on switches used for communication.  
  • If feasible, ignore option 121 for the DHCP server when VPN is being used in the network. 
    • In some scenarios, completely ignoring option 121 may result in network connectivity issues. 
• Zscaler recommends the following for VPN providers:  
  • Integrate network namespaces into operating systems where feasible.

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2024-3661. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan). 

SUPPORTING DOCUMENTATION