1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole

PAN-PAN! Intruders inject web shell backdoors, crypto-coin miners, more

Updated Thousands of Palo Alto Networks firewalls were compromised by attackers exploiting two recently patched security bugs. The intruders were able to deploy web-accessible backdoors to remotely control the equipment as well as cryptocurrency miners and other malware.

Roughly 2,000 devices had been hijacked as of Wednesday - a day after Palo Alto Networks pushed a patch for the holes - according to Shadowserver and Onyphe. As of Thursday, the number of seemingly compromised devices had dropped to about 800.

The vendor, however, continues to talk only of a "limited number" of exploited installations.

"Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network," according to the supplier's security advisories for the two flaws.

The Register has asked for clarification, including how many compromised devices Palo Alto Networks is aware of, and will update this story if and when we hear back from the vendor.

Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network.

The manufacturer did eventually admit that the firewall-busting vulnerability existed, and had been exploited as a zero-day - but it was still working on a patch.

On Tuesday, PAN issued a fix, and at that time said there were actually two vulnerabilities. The first is a critical (9.3 CVSS) authentication bypass flaw tracked as CVE-2024-0012. The second, a medium-severity (6.9 CVSS) privilege escalation bug tracked as CVE-2024-9474

The two can be chained together to allow remote code execution (RCE) against the PAN-OS management interface. As Wiz threat researchers explained in a Friday blog about the two bugs:

An attacker with network access to the interface can exploit CVE-2024-0012 to bypass authentication and then leverage CVE-2024-9474 to escalate privileges, ultimately gaining administrator access and executing arbitrary administrative actions. 

Wiz says the exploits against the two have been observed since Sunday, and "dramatically increased" after a proof-of-concept exploit went public on Tuesday.

While we don't yet know who is exploiting these vulnerabilities - we've asked Palo Alto Networks about this, too - once the attackers break in, they are using this access to deploy web shells and Sliver implants – both types of backdoor malware that allows systems to be remotely controlled – and/or crypto miners, according to Wiz.

"In multiple instances, we've identified re-use of the same Sliver implant which uses 77.221.158[.]154 as its command-and-control address," the threat intel team wrote. "This IP address has previously resolved the domain censysinspect[.]com, though the domain has since been parked."

The domain also has been used as a command-and-control address for "several" other Sliver implants, some of which have been spotted on other compromised PAN-OS devices, Wiz noted.

"This could indicate that this particular threat actor has been opportunistically compromising PAN-OS devices using various methods over a period of several months, and has also been using them to stage malware," the blog says. ®

Updated to add on November 25

A Palo Alto Networks spokesperson told The Register on Monday the supplier “is actively investigating the scope of impact related to these vulnerabilities.”

Plus, the firewall giant said “it’s crucial” to note that the reported 2,000 hijacked devices is “less than half of one percent of all Palo Alto Networks’ firewalls deployed globally that remain potentially unpatched."

That said, "even one potentially impacted device is one too many for us.” Indeed, there's a lot of damage that can be done to and by 2,000-ish compromised networks. It's a potentially a small army of remote-controllable automated bots and data thieves.

The spokesperson confirmed criminals are attempting to deploy web shells and cryptominers via any unplugged holes, as was suggested by Wiz.

“At this point we can consider there are many actors conducting this activity and there’s no clear correlation lines here to draw to specific actors after the proof of concept went public,” the spokesperson added. “At this point the proof of concept code is fairly widely available so the intelligence focus and better approach is supporting customer investigations.”

And, here’s what customers need to do:

  • Verify NGFW configuration: Confirm that NGFW management interface is not accessible from the Internet (this is a best practice but some choose this setting)
  • Review and enforce Secure Administrative Access: Ensure access to all management interfaces is restricted to authorized personnel using strong, unique passwords, and multi-factor authentication. Reference our best practice guidance here.
  • Monitor: Closely monitor system logs for any suspicious activity.

More about

TIP US OFF

Send us news


Other stories you might like