Palo Alto Networks releases fixes for zero-day as attackers swarm VPN vulnerability

Palo Alto Networks has released fixes for a zero-day vulnerability affecting its GlobalProtect VPN product that is being targeted following its disclosure last week. 

Hotfixes for the vulnerability — labeled CVE-2024-3400 — were published on Sunday, as promised in an urgent notice about the bug on Friday morning. The zero-day carries the highest severity score possible of 10.

Security company Volexity, which Palo Alto credited with discovering the bug, said it “is highly likely” the attacker behind the exploitation is a state-backed threat actor and that the first attacks date back to at least March 26.

Palo Alto said it is “aware of a limited number of attacks,” and Volexity detailed at least six incidents in its rundown of how the bug was initially found. 

Multiple cybersecurity experts said that since Friday’s notice attackers have swarmed the vulnerability seeking to exploit it — something Volexity warned of in its blog post on Friday. 

Researchers found thousands of vulnerable instances of the tool exposed to the internet around the world, and one cybersecurity company said it saw “actors possibly associated with BianLian/Lazarus” targeting the vulnerability. 

Yaron Kassner, co-founder of cybersecurity firm Silverfort, told Recorded Future News that the vulnerability is a boon to attackers because the devices are accessible from the internet and allow entry into victim networks — enabling hackers to move laterally once inside. 

“Silverfort is seeing increased attacker activity following the publication of CVE-2024-3400,” he said. 

“Once the attacker compromises the device, the next stage is to move laterally to gain access to sensitive assets inside the network, as reported by Volexity. The attackers need credentials to do it, and they naturally used the same service account used by GlobalProtect.” 

The Cybersecurity and Infrastructure Security Agency (CISA) added the VPN flaw to its list of known exploited vulnerabilities almost immediately, signaling urgency in the need for federal agencies to patch the bug. 

Palo Alto Networks’ own security team, Unit 42, attributed the initial targeting of the vulnerability to a single threat actor but noted that “additional threat actors may attempt exploitation in the future.”