0
0
Severe Zero-Day Vulnerability Exploited in Palo Alto Networks Firewall
Researchers have uncovered a highly capable cyber attack targeting multiple corporate networks through a critical zero-day vulnerability affecting a firewall product from Palo Alto Networks. The zero-day vulnerability, identified as CVE-2024-3400, has been actively exploited for at least two weeks, allowing hackers to execute malicious code without authentication at the highest system access level, root privileges. This severe vulnerability has been rated at the maximum level of 10.0 due to the extent of compromise and ease of exploitation.
Ongoing Attacks on Firewalls, VPNs, and File-Transfer Appliances
This recent attack is part of a wave of cyber attacks targeting firewalls, Virtual Private Networks (VPNs), and file-transfer appliances. These devices are popular targets for cyber criminals due to the multitude of vulnerabilities they possess, providing a direct pathway to the most sensitive areas of a network.
The zero-day vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls that utilize both the GlobalProtect gateway and device telemetry. Although Palo Alto Networks has not released a patch for the vulnerability, affected customers are advised to implement the suggested workarounds and mitigation strategies as detailed here. These recommendations include enabling Threat ID 95187 for subscribers of the Threat Prevention service and applying vulnerability protection to the GlobalProtect interface.
Potential Nation-State Involvement
Security firm Volexity, which uncovered the zero-day attacks, speculates that the sophisticated attackers behind the exploitation could be sponsored by a nation-state, given the level of resources and targeted organizations. While UTA0218 is the primary threat group currently leveraging the vulnerability, Volexity warns that as awareness of the vulnerability spreads, other threat actors may join in mass exploitation.
Volexity cautions that organizations need to act swiftly to implement the recommended mitigations and conduct thorough reviews of their devices for potential compromises. The urgency stems from the likelihood of a surge in attacks by UTA0218 and other threat actors as the window of opportunity closes with patches and mitigations being deployed.
Timeline of Attacks
The initial attacks exploiting the zero-day vulnerability were detected on March 26, as UTA0218 tested the vulnerability by placing zero-byte files on firewall devices. Subsequent attempts on April 7 to install a backdoor were unsuccessful, but by April 10, malicious payloads were successfully deployed. The threat group has since introduced custom post-exploitation malware never seen before, using a Python-based backdoor that allows for remote command execution on compromised devices.
Image/Photo credit: source url
