Attackers have compromised around 2,000 Palo Alto Networks firewalls by leveraging the two recently patched zero-days (CVE-2024-0012 and CVE-2024-9474), Shadowserver Foundation’s internet-wide scanning has revealed.
Compromised devices are predominantly located in the US and India, the nonprofit says.
Manual and automated scanning activity has been spotted
Approximately two weeks ago, Palo Alto Networks warned that attackers have been spotted leveraging a zero-day flaw to achieve remote code execution on vulnerable devices, and advised admins to make sure that access to the devices’ management interfaces was appropriately secured.
On Monday, the company confirmed that there were two zero-days under exploitation: CVE-2024-0012, which allows unauthenticated access to the interface in question, and CVE-2024-9474, which allows attackers to escalate their privileges on compromised Palo Alto Networks firewalls to root, and that attackers have been dropping webshells on them.
WatchTowr researchers followed that by publishing an analysis of how the two bugs can be used in concert and a Nuclei template that admins could leverage to check whether their devices are affected by them.
In the meantime, the attacks continued and Palo Alto thinks they may escalate.
“At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity,” the company’s incident responders have shared on Wednesday.
“Unit 42 has also observed both manual and automated scanning activity aligning with the timeline of third-party artifacts becoming widely available.”
Palo Alto Networks continues adding new indicators of compromise associated with these attacks.
The company has additionally revealed that the two vulnerabilities also affect its Panorama (firewall management) appliances, as well as its WildFire appliances, which are used for setting up sandbox systems to analyze suspicious files. (Those appliances are also running PAN-OS.)
Affected organizations are advised to check the security advisories for remediation guidance.