Palo Alto Networks warns of zero-day in VPN product

Editor’s Note: Story updated 2:55 p.m. Eastern with information from Volexity.

Cybersecurity giant Palo Alto Networks is alerting customers that a zero-day vulnerability in its firewall tool is being exploited by hackers.

The company released an advisory on Friday morning about CVE-2024-3400 — a vulnerability in the popular GlobalProtect VPN product. The bug carries the highest severity score possible of 10.

Palo Alto Networks said that it “is aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

The company did not respond to requests for comment about how many customers were affected, where they are based or who was behind the attacks.

A patch will be available to customers by Sunday, the advisory said. In the meantime, Palo Alto Networks provided several mitigations customers can take to protect themselves.

The bug was discovered by researchers at cybersecurity firm Volexity. That  company’s president, Steven Adair, said on social media that it discovered the initial attacks two days ago. 

The Cybersecurity and Infrastructure Security Agency (CISA) added the VPN flaw to its list of known exploited vulnerabilities almost immediately, signaling urgency in the need for federal agencies to patch the bug. 

In a rare move, CISA gave federal civilian agencies just seven days to apply mitigations, a shortened timeline compared to the three weeks given to most bugs. 

VPN products have become frequent targets for attack by threat actors in recent years due to the expansion of remote work and the widespread use of the tools among governments.

Palo Alto was previously affected by a vulnerability affecting its firewall product in 2022 that was used in a distributed denial-of-service (DDoS) attack.

Volexity: State-backed actor likely behind exploitation

Volexity published an advisory about the issue that said it is “is highly likely” the attacker behind the exploitation is a state-backed threat actor. 

The researchers made this assessment “based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.”

The advisory provides a deep dive into CVE-2024-3400, explaining that Volexity discovered hackers exploiting the bug on a customer’s system on Wednesday before seeing another customer attacked on Thursday.  

The attacker exported data from the exploited device and then attempted to use it as an entry point to move laterally within the organization. Volexity expanded its investigation and discovered that multiple customers and other organizations were attacked through the bug going back to March 26. 

The hackers behind the attacks appeared to be testing the vulnerability’s exploitability for the first few days before attempting to fully use it on April 7. The attackers were only successful starting on Wednesday. 

Once devices were exploited, the hackers stole “credentials and other files that would enable access during and potentially after the intrusion.”

“The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives,” the company said. 

“Volexity is not currently able to provide an estimate as to the scale of exploitation taking place. It is likely the firewall device exploitation, followed by hands-on-keyboard activity, was limited and targeted. However, as noted previously, evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems does appear to have occurred at the time of writing.”

Several of the attacks involved a backdoor Volexity named “UPSTYLE” and in many instances, the hackers stole saved cookies and login data. The hackers were never seen deploying malware, which Volexity attributes to the rapid detection of the issue.

The hackers used a variety of infrastructure, including potentially compromised ASUS routers and a compromised Amazon Web Services bucket, to access and store malicious files. The infrastructure “does not have any overlaps with other threat actors” the researchers are currently tracking. 

Volexity warned that due to the publicity around the bug, there will likely be a spike in exploitation observed over the next few days — both by the group the company is tracking and others who may develop exploits. 

“This spike in activity will be driven by the urgency of this window of access closing due to mitigations and patches being deployed,” they said.