April 15, 2024 at 06:54AM
Palo Alto Networks has released hotfixes for a zero-day vulnerability (CVE-2024-3400) targeted by state-sponsored actors. Vulnerable firewalls allow remote attackers to execute code with root privileges. Initial mitigations were issued, and more hotfixes are expected. Exploited devices facilitated data exfiltration and deployment of a new Python backdoor. Links to BianLian/Lazarus were speculated but unconfirmed.
Based on the meeting notes, the key takeaways are:
– Palo Alto Networks has released hotfixes for a zero-day vulnerability (CVE-2024-3400) exploited by state-sponsored threat actors.
– The vulnerability allows remote, unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls with GlobalProtect and device telemetry enabled.
– The company initially released mitigations and later started issuing hotfixes for impacted PAN-OS versions.
– Approximately 40,000 potentially impacted Palo Alto Networks appliances were identified through Shodan and Censys search engines.
– The threat actor behind the attacks is tracked as UTA0218 by Volexity and is linked to the possibility of being associated with BianLian/Lazarus by VulDB’s CTI team.
– The cybersecurity community debunked a circulating proof-of-concept exploit for CVE-2024-3400 as fake.
Please let me know if there is anything else you need assistance with.