Threat actors already hacked thousands of Palo Alto Networks firewalls exploiting recently patched zero-day vulnerabilities.
Thousands of Palo Alto Networks firewalls have reportedly been compromised in attacks exploiting recently patched zero-day vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in PAN-OS.
CVE-2024-0012 is a vulnerability in Palo Alto Networks PAN-OS that allows unauthenticated attackers with network access to the management web interface to bypass authentication and gain administrator privileges. This access enables administrative actions, configuration tampering, or exploitation of other vulnerabilities like CVE-2024-9474. The issue affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2 but does not impact Cloud NGFW or Prisma Access.
CVE-2024-9474 is a privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
In mid-November, Palo Alto Networks confirmed it had observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet.
Palo Alto said the zero-day has been exploited to deploy web shells on compromised devices, granting persistent remote access.
“Palo Alto Networks and Unit 42 are engaged in tracking a limited set of exploitation activity related to CVE-2024-0012 and CVE-2024-9474 and are working with external researchers, partners, and customers to share information transparently and rapidly.” reads the report published by Palo Alto.
The cybersecurity firm initially observed malicious activities originating from the following IP addresses
- 136.144.17[.]*
- 173.239.218[.]251
- 216.73.162[.]*
The advisory pointed out that these IP addresses may be associated with VPN services, for this reason, they are also associated with legitimate user activity.
“Palo Alto Networks continues to track additional threat activity following the public release of technical insights and artifacts by third-party researchers beginning on Nov. 19, 2024. At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity.” continues the report. “Unit 42 has also observed both manual and automated scanning activity aligning with the timeline of third-party artifacts becoming widely available.”
The investigation is ongoing, and the cybersecurity firm updated the list of Indicators of Compromise.
Shadowserver researchers, who are tracking the number of compromised Palo Alto Networks firewalls, reported that approximately 2,000 have been hacked due to a CVE-2024-0012/CVE-2024-9474 campaign. Most of the hacked devices are in the US (554) and India (461).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, PAN-OS)