Attackers have compromised around 2,000 Palo Alto Networks firewalls by leveraging the two recently patched zero-days (CVE-2024-0012 and CVE-2024-9474), Shadowserver Foundation’s internet-wide scanning has revealed.
Compromised devices are predominantly located in the US and India, the nonprofit says.
Manual and automated scanning activity has been spotted
Approximately two weeks ago, Palo Alto Networks warned that attackers have been spotted leveraging a zero-day flaw to achieve remote code execution on vulnerable devices, and advised admins to make sure that access to the devices’ management interfaces was appropriately secured.
On Monday, the company confirmed that there were two zero-days under exploitation: CVE-2024-0012, which allows unauthenticated access to the interface in question, and CVE-2024-9474, which allows attackers to escalate their privileges on compromised Palo Alto Networks firewalls to root, and that attackers have been dropping webshells on them.
WatchTowr researchers followed that by publishing an analysis of how the two bugs can be used in concert and a Nuclei template that admins could leverage to check whether their devices are affected by them.
In the meantime, the attacks continued and Palo Alto thinks they may escalate.
“At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity,” the company’s incident responders have shared on Wednesday.
“Unit 42 has also observed both manual and automated scanning activity aligning with the timeline of third-party artifacts becoming widely available.”
Palo Alto Networks continues adding new indicators of compromise associated with these attacks.
The company has additionally revealed that the two vulnerabilities also affect its Panorama (firewall management) appliances, as well as its WildFire appliances, which are used for setting up sandbox systems to analyze suspicious files. (Those appliances are also running PAN-OS.)
Affected organizations are advised to check the security advisories for remediation guidance.
UPDATE (November 22, 2024, 02:20 p.m. ET):
“Arctic Wolf has observed multiple intrusions across a variety of industries involving Palo Alto Network firewall devices,” the company’s researchers shared today.
Based on the timing – the attacks started several hours after watchTowr published their analysis of the two vulnerabilities and explained how they can be exploited in tandem – and based on the names of some files observed in the attacks, “we assess with moderate confidence that these intrusions likely involved the exploitation of CVE-2024-0012 chained together with CVE-2024-9474 for initial access,” they said.
Following the initial compromise, in some instances the attackers tried to:
- Download a Sliver C2 (command and Control) implant
- Exfiltrate data (firewall configuration files, mostly, but also operating system passwd and shadow files)
- Deploy an obfuscated PHP webshell
- Deployment the XMRig cryptocoin miner on the compromised devices
