Thousands of Palo Alto Networks Firewalls Compromised

Threat actors have exploited two zero-day vulnerabilities discovered in Palo Alto Networks firewall devices.

Arctic Wolf Labs is tracking intrusions across a range of industries involving Palo Alto Network firewall devices. Earlier this week, Palo Alto Networks disclosed two vulnerabilities in the operating system used on the firewall devices. Palo Alto Networks has released patches for the vulnerabilities.

According to the ShadowServer Foundation, thousands of Palo Alto Networks firewalls have been compromised via the vulnerabilities.

Channel Futures couldn't reach Palo Alto Networks for further comment.

“When these vulnerabilities are exploited, we’ve observed a variety of activities, including exfiltration of device configurations and credentials, along with the deployment of various payloads including coinminers, botnet malware, PHP webshells and C2 frameworks,” Arctic Wolf Labs said. “While we’ve managed to intervene early when we’ve seen such activities occurring, allowing attacks to progress further in the cyber kill chain could lead to more severe consequences, such as ransomware attacks and disclosure of sensitive information.”

Targeting Misconfigured Palo Alto Networks Devices

Threat actors are liable to target organizations using Palo Alto Networks devices that are misconfigured, and organizations without strong external monitoring and alerting for perimeter devices are at a higher risk of severe consequences from intrusion, according to Arctic Wolf Labs.

Related:Mandiant: 'Mass Exploitation' of Fortinet FortiManager Vulnerability

“The first priority should be to ensure that firewall devices are not configured to expose their management interfaces on the public internet while ensuring that access is limited to trusted internal IP addresses,” the company said. “If this is neglected, organizations are at risk of not just this vulnerability, but potentially others in the future as well. This is in line with what Palo Alto Networks recommends. To facilitate an early response and stop these attacks before they become a major problem, external monitoring and alerting should be used for perimeter devices. Organizations should also pay close attention to unusual HTTP activity on such devices as it emerges, as described in our research.”

If these vulnerabilities remain unpatched in an organization’s environment, further exploitation could occur, Arctic Wolf Labs said.

“The threat activity we’ve described here only scratches the surface of how threat actors could leverage these vulnerabilities,” it said. “Beyond this vulnerability, we’ve seen a high amount of interest amongst threat actors to compromise firewalls and VPN gateway devices. We expect that trend to continue well into the coming year. There is no magic bullet to make these threats disappear, but organizations would benefit from proactive auditing and hardening of their security configurations to minimize their risks.”

Related:Cybersecurity Dominates 2024 MSP 501 Services

Gaining Full Control

Patrick Tiquet, Keeper Security’s vice president of security and architecture, said the immediate danger is that attackers exploiting these vulnerabilities can gain full control over affected firewalls, compromising the very systems designed to protect sensitive networks.

Keeper Security's Patrick Tiquet

“This opens the door for malware deployment, data theft, lateral movement within the network and even complete network shutdowns,” he said. “For organizations relying on these firewalls, this could mean business disruption, loss of sensitive data, and exposure to regulatory and financial consequences.”

Beyond patching, security teams must prioritize assessing the potential damage from compromised firewalls, Tiquet said. This includes checking for unauthorized access, scanning for malware and reviewing configurations to ensure no additional vulnerabilities were introduced during the attack.

“Organizations should also adopt a proactive approach to managing their attack surface, such as restricting access to management interfaces, implementing strong authentication and leveraging privileged access management (PAM) solutions to protect administrative controls,” he said. “While patching is critical, ongoing vigilance and layered defenses are equally essential to minimize risks from similar threats in the future.”