Virtual shields showing exploited vulnerabilities on Palo Alto firewalls

Over 2,000 Palo Alto Firewalls Compromised via Exploited Vulnerabilities

Hackers have compromised thousands of organizations by exploiting two patched zero-day security vulnerabilities in Palo Alto firewalls affecting the devices’ management web interfaces.

Palo Alto Networks’ Unit 42 cyber intelligence division said it detected threat activity targeting vulnerable devices on Nov. 18, 2024, involving IP addresses associated with anonymous VPN services.

The activity involved post-exploitation activities, including interactive command execution and malware dropping, such as webshells.

The attacks exploited the authentication bypass vulnerability CVE-2024-0012 and the privilege escalation flaw CVE-2024-9474 in the PAN-OS management web interface to gain administrative privileges and execute commands.

Broader exploitation of Palo Alto firewalls

While Unit 42 says only a “very small number” of vulnerable Palo Alto firewalls were affected, it warned that once the “functional exploit chaining” of the security vulnerabilities is publicly available, it would lead to “broader threat activity.”

Threat intelligence firm Shadowserver says it is monitoring 2,700 vulnerable Palo Alto firewalls, of which 2,000 have already been exploited, suggesting a high exploitation rate, with the United States and India mainly affected.

“The immediate danger is that attackers exploiting these vulnerabilities can gain full control over affected firewalls, compromising the very systems designed to protect sensitive networks,” said Patrick Tiquet, Vice President, Security & Architecture at Keeper Security. “This opens the door for malware deployment, data theft, lateral movement within the network and even complete network shutdowns.”

While Palo Alto had discovered exploitation in the wild by November 15, cybersecurity firm Artic Wolf also says there is evidence that exploitation of vulnerable Palo Alto firewalls was still ongoing by November 19.

“We have detected exploitation of CVE-2024-9474 chained with CVE-2024-0012 in customer environments,” the company said, adding that the attackers attempted “to transfer tools into the environment and exfiltrate config files from the compromised devices.”

Unit 42 advises customers to secure their Palo Alto firewalls by restricting access to internal networks. Palo Alto Networks has also released patches for the medium-severity exploited vulnerabilities.

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, directing civilian federal agencies to patch them within three weeks, effective by December 9.

“Organizations should also adopt a proactive approach to managing their attack surface, such as restricting access to management interfaces, implementing strong authentication and leveraging Privileged Access Management (PAM) solutions to protect administrative controls,” Tiquet added. “While patching is critical, ongoing vigilance and layered defenses are equally essential to minimize risks from similar threats in the future.”

Meanwhile, Palo Alto Networks has yet to identify or disclose the threat actor behind the malicious campaign tracked as Operation Lunar Peek. Similarly, the nature of the target organizations is undisclosed.

However, nation-state actors target network security devices to compromise high-profile organizations such as federal agencies, IT companies, telecommunications, and defense contractors.

Various network devices affected by security vulnerabilities

Despite sitting at the network perimeter, numerous security flaws have impacted Palo Alto firewalls, putting corporate networks at risk.

In November, Palo Alto Networks discovered a critical severity flaw, CVE-2024-5910, affecting the Palo Alto Networks Expedition configuration tool. This flaw could allow threat actors to reset credentials, resulting in the admin account takeover.

In April 2024, the company also discovered a critical-severity command injection vulnerability, CVE-2024-3400, affecting the PAN-OS firewall. This exploited vulnerability affected 82,000 devices, prompting CISA to add it to the KEV catalog and direct federal agencies to patch it within seven days.

Besides Palo Alto firewalls, other network security devices have also reported various security flaws potentially resulting in exploitations.

In August 2023, Ivanti discovered a critical authentication bypass vulnerability CVE-2023-38035 that could allow an attacker to access the device’s administrative interface due to an insecure Apache HTTPD configuration. Similarly, Check Point reported a high-severity exploited zero-day vulnerability CVE-2024-24919, affecting its Network Security gateways.