1000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole

1000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole

November 22, 2024 at 04:31PM

Attackers exploited two recently patched vulnerabilities in Palo Alto Networks firewalls, compromising around 2,000 devices initially but down to 800 later. They deployed backdoors, malware, and cryptocurrency miners. The vulnerabilities enabled remote code execution, and the vendor continues to reference only a “limited number” of affected systems.

### Meeting Takeaways:

1. **Incident Overview**:
– A significant number of Palo Alto Networks firewalls were compromised by attackers using two recently patched vulnerabilities. These intrusions allowed for the deployment of backdoors for remote control and installation of malware, including cryptocurrency miners.

2. **Scale of Compromises**:
– As of Wednesday, approximately 2,000 devices were reported hijacked; however, by Thursday, this number decreased to about 800. Palo Alto Networks refers to these as a “limited number” of affected installations in their security advisories.

3. **Vulnerability Details**:
– Two vulnerabilities were identified:
– **CVE-2024-0012**: Critical authentication bypass (CVSS 9.3).
– **CVE-2024-9474**: Medium-severity privilege escalation (CVSS 6.9).
– Both vulnerabilities can be exploited together, leading to remote code execution (RCE) on the management interface of PAN-OS.

4. **Exploitation Timeline**:
– Exploits were reportedly observed starting Sunday, with an increase in activity following a public proof-of-concept exploit on Tuesday.

5. **Malware Deployment**:
– Attackers are using the gained access to deploy web shells, Sliver implants, and cryptocurrency miners. A specific Sliver implant (identified as b4378712adf4c92a9da20c0671a06d53cbd227c8) was noted, utilizing the command-and-control (C2) address 77.221.158[.]154.

6. **Threat Actor Behavior**:
– There are indications that this threat actor has been exploiting PAN-OS devices over several months, employing various methods to compromise the systems and use them to distribute malware.

7. **Vendor Communication**:
– The Register has reached out to Palo Alto Networks for additional clarification on the number of compromised devices and is awaiting a response.

### Next Steps:
– Continue monitoring for updates from Palo Alto Networks regarding the situation and their communications.
– Assess the security measures in place for any systems running PAN-OS to mitigate potential vulnerabilities and exposure.

Full Article