Unpatched security vulnerabilities

Cyberattacks on Palo Alto Networks firewall devices

Sicherheitslücke, palo alto firewall angriff, palo alto firewall sicherheitslücke, palo alto network firewall, Palo Alto Network, Firewall
Image source: viewimage / Shutterstock.com
LinkedInRedditWhatsAppPocket

Several security breaches were observed at companies from different industries in which firewall devices from Palo Alto Network were involved.

Two vulnerabilities in Palo Alto Networks OS (PAN-OS)

On November 18, 2024, Palo Alto Networks announced two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in Palo Alto Networks OS (PAN-OS). This operating system is used on their firewall devices. A day later, watchTowr published a report with technical details on how the two vulnerabilities can be linked together to achieve remote code execution of these vulnerabilities.

Ad

Within hours of the release of the watchTowr report, Arctic Wolf Labs observed several attacks targeting Palo Alto Networks devices. Based on the close timing of the release of the watchTowr report and additional evidence reviewed by Arctic Wolf Labs, Arctic Wolf believes there is a medium probability that these intrusions exploited CVE-2024-0012 in conjunction with CVE-2024-9474 for initial access.

Other important findings from Arctic Wolf:

  • Affected devices triggered downloads via HTTP, including the Sliver C2 framework, Coinminer binaries and various other payloads.
  • There are indications that threat actors have exploited the recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 to gain initial access.
  • Monitoring firewall logs for usernames with unusual characters provides a way to detect kill chains at an early stage.

Keri Shafer-Page, VP of Incident Response at Arcitic Wolf, assesses the situation as follows:

“The two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in the Palo Alto Networks operating system are an example of the opportunities presented to cybercriminals by the concatenation of two unpatched vulnerabilities. As the hacker community is constantly evolving and combining new tactics, techniques and procedures (TTPs) with innovative tools, gaps in systems must be detected and closed immediately.

The threat actor activities reported so far are only a fraction of what the potential consequences of these observations could be. We know that cybercriminals will stop at nothing to infiltrate corporate systems by any means and profit from similar threats. Companies must therefore react quickly to protect themselves and their customers.”

Ad

You can find more information on this topic here in the Arctic Wolf blog.

(vp/Arctic Wolf)


Ad

Weitere Artikel

Over 200 malicious apps found in the Google Play Store
Mobile phishing attacks on companies are increasing by leaps and bounds
20 percent more ransomware attacks on ICS systems
Hacker group attacks Ukraine and NATO countries