Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign

Avatar
As many as 2,000 Palo Alto Networks devices are estimated to have been compromised as part of a campaign abusing the newly disclosed security flaws that have come under active exploitation in the wild. According to statistics shared by the Shadowserver Foundation, a majority of the infections have been reported in the U.S. (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia

As many as 2,000 Palo Alto Networks devices are estimated to have been compromised as part of a campaign abusing the newly disclosed security flaws that have come under active exploitation in the wild.

According to statistics shared by the Shadowserver Foundation, a majority of the infections have been reported in the U.S. (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35).

Earlier this week, Censys revealed that it had identified 13,324 publicly exposed next-generation firewall (NGFW) management interfaces, with 34% of these exposures located in the U.S. However, it’s important to note that not all of these exposed hosts are necessarily vulnerable.

The flaws in question, CVE-2024-0012 (CVSS score: 9.3) and CVE-2024-9474 (CVSS score: 6.9), are a combination of authentication bypass and privilege escalation that could allow a bad actor to perform malicious actions, including modifying configurations and executing arbitrary code.

Palo Alto Networks, which is tracking the initial zero-day exploitation of the flaws under the name Operation Lunar Peek, said they are being weaponized to achieve command execution and drop malware, such as PHP-based web shells, on hacked firewalls.

The network security vendor has also warned that cyber attacks targeting the security flaws are likely to escalate following the availability of an exploit combining them.

To that end, it said it “assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity.”

It further noted that it has observed both manual and automated scanning activity, necessitating that users apply the latest fixes as soon as possible and secure access to the management interface as per recommended best practice deployment guidelines.

This particularly includes restricting access to only trusted internal IP addresses to prevent external access from the internet.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Next Post

Gambling and lottery giant disrupted by cyberattack, working to bring systems back online

Related Posts

New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that is a variant of the leaked Mirai botnet source code. Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. No less than 20,000 commands designed
Avatar
Read More