Palo Alto Networks’ firewall bug under attack brings fresh havoc to thousands of companies

Palo Alto Networks urged companies this week to patch against a newly discovered zero-day vulnerability in one of its widely used security products after malicious hackers began exploiting the bug to break into corporate networks.

The vulnerability is officially known as CVE-2024-3400 and was found in the newer versions of the PAN-OS software that runs on Palo Alto’s GlobalProtect firewall products. Because the vulnerability allows hackers to gain complete control of an affected firewall over the internet without authentication, Palo Alto gave the bug a maximum severity rating. The ease with which hackers can remotely exploit the bug puts thousands of companies that rely on the firewalls at risk from intrusions.

Palo Alto said customers should update their affected systems, warning that the company is “aware of an increasing number of attacks” that exploit this zero-day — described as such because the company had no time to fix the bug before it was maliciously exploited. Adding another complication, Palo Alto initially suggested disabling telemetry to mitigate the vulnerability, but said this week that disabling telemetry does not prevent exploitation.

The company also said there is public proof-of-concept code that allows anyone to launch attacks exploiting the zero-day.

The Shadowserver Foundation, a nonprofit organization that collects and analyzes data on malicious internet activity, said its data shows there are more than 156,000 potentially affected Palo Alto firewall devices connected to the internet, representing thousands of organizations.

Security firm Volexity, which first discovered and reported the vulnerability to Palo Alto, said it found evidence of malicious exploitation going back to March 26, some two weeks before Palo Alto released fixes. Volexity said a government-backed threat actor that it calls UTA0218 exploited the vulnerability to plant a back door and further access its victims’ networks. The government or nation-state that UTA0218 works for is not yet known.

Palo Alto’s zero-day is the latest in a raft of vulnerabilities discovered in recent months targeting corporate security devices — like firewalls, remote access tools and VPN products. These devices sit at the edge of a corporate network and function as digital gatekeepers but have a propensity to contain severe vulnerabilities that render their security and defenses moot.

Earlier this year, security vendor Ivanti fixed several critical zero-day vulnerabilities in its VPN product, Connect Secure, which allows employees remote access to a company’s systems over the internet. At the time, Volexity linked the intrusions to a China-backed hacking group, and mass exploitation of the flaw quickly followed. Given the widespread use of Ivanti’s products, the U.S. government warned federal agencies to patch their systems and the U.S. National Security Agency said it was tracking potential exploitation across the U.S. defense industrial base.

And the technology company ConnectWise, which makes the popular screen-sharing tool ScreenConnect used by IT admins for providing remote technical support, fixed vulnerabilities that researchers deemed “embarrassingly easy to exploit” and also led to the mass exploitation of corporate networks.

Read more on TechCrunch:

• A crypto wallet maker’s warning about an iMessage bug sounds like a false alarm
• Price of zero-day exploits rises as companies harden products against hackers
• NSA says it’s tracking Ivanti cyberattacks as hackers hit US defense sector
• Researchers warn high-risk ConnectWise flaw under attack is ’embarrassingly easy’ to exploit