Over 2,000 Palo Alto Networks Firewalls Hacked via Zero-Day Vulnerabilities

26th November 2024 | Advisory

Cybercriminals have found a way to hack thousands of Palo Alto Networks firewalls. Over 2,000 devices have been compromised using two newly discovered vulnerabilities. These flaws allow attackers to gain full control of the affected firewalls.

Let’s break this down and explore how this happened, why it matters, and how to protect your systems.

What Happened?

Hackers exploited two security flaws in Palo Alto Networks’ firewalls. These flaws, called zero-day vulnerabilities, are weaknesses discovered before the company can fix them. The vulnerabilities are:

CVE-2024-0012: This lets attackers bypass login requirements and gain administrative access.
CVE-2024-9474: This allows hackers to execute commands with the highest level of access, known as “root-level.”

These flaws were officially disclosed last week after being flagged by Palo Alto Networks on November 8. Hackers used them together to create an exploit chain, granting them complete control of devices.

How Did Hackers Exploit These Firewalls?

The attackers used anonymous VPN services to hide their identities. They targeted the firewalls’ management web interfaces, which are the control panels administrators use to manage firewalls.

Once inside, they deployed malware and ran dangerous commands. Shadowserver, a free threat monitoring platform, confirmed that over 2,000 devices have been compromised so far.

Why Does This Matter?

Firewalls protect your network by blocking unauthorized access. When attackers gain control of firewalls, they can:

Use subtle exemptions to allow specific innocuous looking hacker traffic through the firewall to avoid detection and cause maximum harm.
Disable security features: Attackers can turn off protections, leaving networks exposed to other threats.
Deploy malware: Hackers can use the compromised firewall to spread harmful software across a network.
Steal sensitive data: Hackers can monitor and intercept traffic going through compromised firewalls.

This is why these vulnerabilities have been labeled “critical.”

What Is Being Done About It?

1. Government Action:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies must patch affected systems by December 9.

2. Palo Alto Networks’ Response:

The company urged customers to restrict access to the firewalls’ management interfaces. They also advised updating software to patch the vulnerabilities immediately.

3. Ongoing Investigation:

Palo Alto Networks is investigating the attack and confirmed that public exploit tools are already available. This increases the risk of further attacks.

How to Protect Your Network

If your organization uses Palo Alto Networks firewalls, take these steps to secure them:

Apply Security Patches: Update your firewalls to the latest version as soon as possible. Vendor patches fix the vulnerabilities hackers are exploiting in these recent attacks.
Restrict Management Access: Limit access to the firewall’s management web interface. Only trusted internal IP addresses should be able to connect. This is a best practice for all Internet ports and protocols.
Monitor Your Network: Watch for unusual activity on your firewalls. Use network monitoring tools to detect signs of compromise.
Follow Best Practices:
○ Use strong, long (15+), unique passwords.
○ Enable multi-factor authentication (MFA) for added security.
○ Regularly review and audit firewall settings.
Seek Expert Help: If you suspect a breach, consult cybersecurity professionals to assess and secure your systems.

What’s Next?

Palo Alto Networks is working to address the issue and has provided guidance for securing firewalls. However, the availability of public exploit tools means the risk isn’t going away soon. Organizations must act swiftly to protect their networks.

This incident is a sobering reminder of how critical it is to keep systems up-to-date and follow cybersecurity best practices such as protecting all administrative access to limited internal networks (not even VPNs!). Firewalls are your network’s first line of defense, and compromising them can open the door to devastating attacks.

Don’t wait for hackers to strike. Patch your systems, secure your access, and stay one step ahead of cyber threats.