Attackers have exploited two critical zero-day vulnerabilities—CVE-2024-0012 and CVE-2024-9474—to compromise approximately 2,000 Palo Alto Networks firewalls. These vulnerabilities have allowed cybercriminals to gain unauthorized access and escalate privileges on targeted devices, posing a significant threat to organizations worldwide.
What Happened?
The Shadowserver Foundation’s internet-wide scanning revealed the compromise of thousands of firewalls, primarily in the US and India. Palo Alto Networks initially warned about suspicious activities on its devices two weeks ago, urging administrators to secure the management interfaces.
This week, Palo Alto Networks confirmed that attackers exploited two distinct vulnerabilities:
- CVE-2024-0012: Allows unauthenticated access to the management interface.
- CVE-2024-9474: Enables attackers to escalate privileges to root, allowing them to execute malicious activities such as dropping webshells.
Exploitation and Attack Details
WatchTowr researchers analyzed how the vulnerabilities can be chained for exploitation and shared a Nuclei template to help administrators detect impacted systems. However, the availability of this information escalated the attack timeline.
Palo Alto Networks’ Unit 42 team noted:
- Functional exploits are likely available publicly, increasing the risk of widespread attacks.
- Indicators of compromise (IoCs) continue to grow, requiring constant monitoring and action.
Affected Systems
The vulnerabilities are not limited to firewalls. This Networks confirmed that its Panorama firewall management appliances and WildFire sandboxing systems running PAN-OS are also affected.
Ongoing Exploits
Recent updates show attackers are actively exploiting the vulnerabilities:
- Dropping a Sliver Command and Control implant
- Exfiltrating firewall configuration files and sensitive OS data
- Deploying obfuscated PHP webshells
- Installing XMRig cryptominers on compromised devices
Mitigation Steps
Organizations using Palo Alto Networks devices should:
- Review security advisories issued by Palo Alto Networks for detailed remediation guidance.
- Patch affected devices immediately with the latest updates.
- Secure management interfaces by restricting access and enabling multi-factor authentication (MFA).
- Monitor IoCs published by Palo Alto Networks and third-party researchers.
Industry Response
Companies like Arctic Wolf have observed similar intrusions across various industries, further emphasizing the need for immediate action. Palo Alto Networks is actively working with customers to mitigate the impact, particularly for those unable to implement fixes in time.
Conclusion
The exploitation of CVE-2024-0012 and CVE-2024-9474 highlights the critical need for proactive security measures. Organizations using affected devices must act swiftly to mitigate risks and protect sensitive assets. This Networks continues to provide updates and guidance, underscoring the importance of staying informed in an evolving threat landscape.