More than 2,000 Palo Alto Networks firewalls have been compromised in attacks exploiting two recently patched zero-day vulnerabilities, according to ShadowServer, a threat monitoring platform. These flaws target the PAN-OS management web interface and have been used in chained exploits, allowing attackers to gain administrator privileges and execute root-level commands on affected devices.
Details of the Exploited Vulnerabilities
The vulnerabilities, identified as CVE-2024-0012 and CVE-2024-9474, were disclosed earlier this week and have raised significant concerns within the cybersecurity community.
- CVE-2024-0012 enables attackers to bypass authentication, granting administrative access.
- CVE-2024-9474 facilitates privilege escalation, allowing commands to be executed with root-level access.
Palo Alto Networks initially flagged the potential for remote code execution (RCE) on November 8, with the official disclosure of these issues occurring last week.
Attack Observations and Exploitation Chain
In a statement, Palo Alto Networks confirmed ongoing investigations into these exploits. Attackers reportedly used anonymous VPN services to target a “limited number of management web interfaces.” The company observed threat actors deploying malware and running commands on compromised devices, indicating the existence of a publicly available exploit chain.
Although Palo Alto Networks asserts that only a small subset of devices is affected, ShadowServer has reported over 2,700 exposed PAN-OS devices, with approximately 2,000 confirmed as compromised since the attack campaign began.
Government and Industry Response
The US Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal agencies to patch their systems by December 9. This follows earlier alerts about another critical vulnerability, CVE-2024-5910, in Palo Alto Networks’ Expedition firewall configuration tool.
Concerns Over Broader Exploitation
Palo Alto Networks’ Unit 42 threat intelligence division has expressed “moderate to high confidence” that a functional exploit chain for CVE-2024-0012 and CVE-2024-9474 is now publicly available. This could lead to widespread exploitation. The company has urged customers to secure their firewalls’ management interfaces by restricting access to trusted internal networks.
“The risk of these issues is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines,” the company stated.
A Year of High-Profile Exploits
These latest exploits add to a series of high-severity vulnerabilities impacting Palo Alto Networks’ products in 2024:
- July 2024: A flaw was patched that allowed attackers to reset administrator credentials on exposed Expedition servers.
- Earlier in 2024: A maximum-severity firewall vulnerability, CVE-2024-3400, actively exploited and affecting over 82,000 devices globally, was addressed.
Call to Action
Palo Alto Networks has emphasized the importance of patching and adhering to best practices to minimize risks. With threat actors actively exploiting these vulnerabilities, swift action is critical to prevent further compromises.
Source: https://www.linkedin.com/pulse/warning-over-2000-palo-alto-networks-devices-compromised-nsaxe/
