Palo Alto Networks firewall

Experts warn of Palo Alto firewall exploitation after 2,000 compromises spotted

Thousands of Palo Alto Networks firewalls have been compromised after two new vulnerabilities were disclosed earlier this month. 

Researchers at the U.K.-based Shadowserver Foundation said Thursday they found about 2,000 Palo Alto Networks firewalls breached worldwide, with hundreds in the U.S. and India affected. 

The hackers exploited CVE-2024-0012 and CVE-2024-9474 — two recently disclosed vulnerabilities. For nearly two weeks, experts have raised alarms about potential attacks after Palo Alto Networks released an advisory on the issues, which affect the company’s Next-Generation Firewalls (NGFW) management interfaces and can allow an intruder to take over systems.

Since then, Palo Alto’s own security team, Unit42, and researchers at Arctic Wolf have confirmed that hackers compromised systems using the two vulnerabilities. Palo Alto Networks has released fixes for both vulnerabilities earlier this week and urged customers to restrict access to the devices. The company said a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available.

Arctic Wolf said on Friday that in multiple intrusions it has observed, hackers sought to exfiltrate sensitive data from the firewall devices, including configuration files which include credentials allowing for deeper access to networks. 

Some attempts were made to steal operating system passwords and other files, according to Arctic Wolf. 

Palo Alto Networks said it is still investigating ongoing attacks that chain the two vulnerabilities together. In some instances, the hackers have dropped malware into affected systems. 

The Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies to patch the vulnerabilities by December 9 and confirmed that it has seen evidence of both being exploited. 

Elad Luz, head of research at Oasis Security, said Palo Alto customers need to immediately restrict access to the devices and only allow internal IP addresses to access them. 

“The numbers reported by Shadowserver are very concerning, indicating that 7% of customers were compromised. With such a high ratio, it is essential not only to patch, but also to ensure that the device is free from any potential malware that may have been dropped or malicious configurations that may have been applied,” Luz said. 

“We strongly recommend that users review their firewall configurations after applying the patch to ensure nothing has been altered. Finally, users should check their audit logs for administrator activity to determine if a threat actor used the web interface for any malicious actions.”

Keeper Security’s Patrick Tiquet warned that the most immediate danger is attackers taking full control over affected firewalls, compromising the very systems designed to protect sensitive networks. 

“This opens the door for malware deployment, data theft, lateral movement within the network and even complete network shutdowns. For organizations relying on these firewalls, this could mean business disruption, loss of sensitive data and exposure to regulatory and financial consequences,” he explained. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.