Skip to main content

In recent weeks, the cybersecurity landscape has faced a serious threat: 2,000 Palo Alto Networks firewalls were compromised following attacks targeting two recently patched 0-day vulnerabilities.

These attacks highlight the constant danger organisations face in protecting their critical infrastructure.

 

Vulnerabilities involved

Palo Alto Networks has released security updates to fix two zero-day vulnerabilities actively exploited in its Next-Generation Firewalls (NGFW):

CVE-2024-0012: An authentication bypass vulnerability in the PAN-OS web management interface that allows attackers to gain administrative privileges without authentication. Attackers can exploit it to gain full administrative privileges on the device.

CVE-2024-9474: Published only a few days ago, this vulnerability allows remote execution of commands with root privileges on the firewall. The link between these two vulnerabilities was exploited in combination, significantly increasing the impact of the attack.

 

Ongoing attacks and impacts

These vulnerabilities were initially highlighted on 8 November, when Palo Alto Networks advised customers to restrict access to their firewalls. Despite these warnings, threat monitoring detected more than 8,700 PAN-OS management interfaces exposed.

The US Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Catalogue of Exploited Vulnerabilities and required federal agencies to fix their systems by 9 December.

Previously, CISA had also warned of attacks exploiting CVE-2024-5910, a missing authentication vulnerability in the Palo Alto Networks Expedition firewall configuration migration tool, a flaw corrected in July.

According to Palo Alto Networks, the attacks focused on a limited number of device management interfaces, but the situation quickly worsened. More than 2700 vulnerable PAN-OS devices have been identified. Of these, 2000 firewalls have already been compromised.

Attackers, once gained access, are deploying malware and executing malicious commands, indicating that a well-defined exploit chain is already in circulation. This rapid development poses a significant threat to companies in all sectors.

 

Actions to be taken

Palo Alto Networks has issued urgent recommendations to its customers:

  1. Restrict access to management interfaces to internal networks with trusted IP addresses only.
  2. Immediately update vulnerable devices with the latest patches.

 

More details on the recommended actions are available on the official Palo Alto Networks Unit42 blog.

 

Lessons learned

  • Speed is of the essence. The time interval between the discovery of a vulnerability and its correction must be as short as possible.
  • Network segmentation. Restricting access to critical devices to only trusted networks is a key measure to prevent similar exploits.
  • Continuous monitoring. Organisations must use advanced monitoring tools to detect suspicious activity on critical devices.

 

This event emphasises that cybersecurity is not a permanent condition, but an ongoing process. Implementing proactive measures, constantly monitoring emerging threats and reacting in a timely manner are the pillars for protecting corporate infrastructures.

 

Sources

 

Analysis of Vasily Kononov – Threat Intelligence Lead, CYBEROO