The ShadowServer Foundation reports that more than 2,000 Palo Alto Networks firewalls have been hacked by two zero-day vulnerabilities: CVE-2024-0012 and CVE-2024-9474, enabling admin bypass and root access. while doing Top targets: US and India.

Cybersecurity researchers at ShadowServer have revealed that around 2,000 Palo Alto Networks The firewall has been compromised. The breaches take advantage of recently identified zero-day vulnerabilities in the company’s PAN-OS software. These vulnerabilities are labeled as CVE-2024-0012 and CVE-2024-9474.

Weaknesses

CVE-2024-0012: This vulnerability is an authentication bypass in the PAN-OS management web interface. This allows remote attackers to gain administrator privileges without authentication. This means attackers can tamper with firewall settings, making them more vulnerable to exploitation.

CVE-2024-9474: This error is a privilege escalation issue. Once exploited, it allows attackers to execute commands with root privileges, giving full control over the compromised firewall.

Heads up! Thanks to collaboration with the Saudi NCA, we are now scanning and reporting compromised Palo Alto Networks devices as a result of the CVE-2024-0012/CVE-2024-9474 campaign. ~2000 compromised incidents found on 2024-11-20: dashboard.shadowserver.org/statistics/c… Most affected: US and India

– ShadowServer Foundation (@shadowserver.bsky.social) November 21, 2024 at 9:45 am

Operation Lunar Peek – ongoing threat activity

Palo Alto Networks has Nominee An early exploit of these vulnerabilities was “Operation Lunar Pack”. Palo Alto Networks initially warned customers on Nov. 8 to limit access to its next-generation firewalls due to a remote code execution flaw.

Since then, the company has seen a significant increase in threat activity following the public release of technical insights by third-party researchers on November 19, 2024.

Unit 42, Palo Alto Networks’ threat intelligence team, estimates with moderate to high confidence that a functional exploit chaining of CVE-2024-0012 and CVE-2024-9474 is publicly available, widespread. This can lead to dangerous activity.

The company is currently investigating ongoing attacks, which include combining these two vulnerabilities to target a limited number of device management web interfaces. The company has seen threat actors drop malware and execute commands on compromised firewalls, indicating that a chain of exploits is likely already in use.

Recommendations for users

Palo Alto Networks provides several recommendations for reducing risk:

  • Monitoring and Evaluation: Users should monitor for any suspicious or unusual activity on devices with management web interfaces exposed on the Internet. After applying a patch, it is critical to review firewall configurations and audit logs for any signs of unauthorized administrator activity.
  • Patch immediately: Users are advised to update their systems to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Detailed information about affected products and versions can be found in the Palo Alto Networks Security Advisories.
  • Restrict access: To minimize risk, Palo Alto Networks recommends restricting access to the management web interface to trusted internal IP addresses only. This is in line with their recommended best practice deployment guidelines.

The visionary

Elad Loweshead of research at Oasis Security, emphasizes the importance of quick action before patching. He advises affected users to limit access to the web management interface, preferably only allowing internal IPs. Lowes also emphasizes the need to ensure that devices are free of any potential malware or harmful configurations after patching.

  1. Palo Alto Patch 0-Day Exploitation by Python Backdoor
  2. An authentication bypass flaw was found in a NATO-approved firewall.
  3. 330,000 Fortinet firewalls at risk due to critical RCE vulnerability
  4. CISA emphasized the complexity of Palo Alto Networks’ expedition tool flaw.
  5. Backdoor account found in 100K+ Zyxel Firewalls, VPN Gateways



Source link