By exploiting two new zero-day vulnerabilities discovered in widely used software developed by cybersecurity behemoth Palo Alto Networks, malicious hackers have the potential to compromise thousands of organizations
On Wednesday, security researchers at Palo Alto Networks reported that they have observed a “limited set of exploitation activity” associated with the two vulnerabilities in PAN-OS. This operating system powers all of Palo Alto’s next-generation firewalls.
The bugs are classified as zero-days because the company could not disseminate patches before their exploitation.
The company has observed the exploitation of two bugs, including CVE-2024-0012, which enables an attacker with network access to the management web interface to gain administrator privileges.
The second bug, tracked as CVE-2024-9474, enables an attacker to perform actions on the compromised firewall with higher root privileges.
The combination of these vulnerabilities enables an attacker to remotely install malicious code on affected firewalls with the highest possible privileges, thereby enabling deeper access to a company’s network.
Palo Alto Networks has reported that attackers are currently employing their functional exploit to target a “limited number of device management web interfaces” exposed to the internet by chaining the two vulnerabilities together.
Hackers have already exploited the two recently patched vulnerabilities to compromise over 2,000 Palo Alto Networks firewalls, according to the Shadowserver Foundation, a nonprofit organization that searches and monitors the internet for vulnerability exploitation.
The nonprofit discovered that the United States had the highest number of compromised devices, followed by India. Additionally, hackers were able to exploit firewalls in the United Kingdom, Australia, and mainland China.
Arctic Wolf, a cybersecurity company based in the United States, reported this week that its researchers had observed hackers exploiting the two Palo Alto firewall vulnerabilities as early as November 19 to access customer networks. This observation was made in response to the release of a proof-of-concept exploit.
Arctic Wolf’s threat intelligence researcher, Andres Ramos, stated in the company’s blog post, “We have observed threat actors attempting to transfer tools into the environment and exfiltrate config files from the compromised devices upon successful exploitation.”
Palo Alto Networks issued patches for the two vulnerabilities and encouraged organizations to apply them as soon as feasible. The two vulnerabilities have also been included in the Known Exploited Vulnerabilities catalog of the U.S. cybersecurity agency, CISA.
This catalog effectively mandates that civilian federal agencies secure their systems within a three-week timeframe.
Palo Alto’s patches were reverse-engineered by researchers at security firm watchTowr Labs, who determined that the deficiencies were due to fundamental errors in the development process.
This is the most recent vulnerability discovered in corporate security devices in recent months, including firewalls, VPN products, and remote access tools.
These devices are situated on the perimeter of a company’s network and serve as digital gatekeepers. This is Palo Alto Networks’ second significant security alert of the year, following the discovery of vulnerabilities in comparable products developed by cybersecurity vendors Check Point and Ivanti.
