Palo Alto Networks this week urged companies to update a recently discovered zero-day vulnerability in one of its widely used security products, after malicious hackers began exploiting the bug to break into networks business.
The vulnerability is officially known as CVE-2024-3400 and was found in the most recent versions of PAN-OS software that runs on Palo Alto’s GlobalProtect firewall products. Because this vulnerability allows hackers to take full control of an affected firewall on the Internet without authentication, Palo Alto has assigned the bug a maximum severity rating. The ease with which hackers can exploit the bug remotely puts thousands of businesses that rely on firewalls at risk of intrusion.
Palo Alto said customers should update their affected systems, warning that the company is “aware of a growing number of attacks” that exploit this zero-day – described as such because the company has not had the time to fix the bug before it is exploited maliciously. Adding another complication, Palo Alto initially suggested turning off telemetry to mitigate the vulnerability, but said this week that turning off telemetry does not prevent exploitation.
The company also said that there is public proof-of-concept code that allows anyone to launch zero-day exploit attacks.
The Shadowserver Foundation, a nonprofit that collects and analyzes data on malicious activity on the Internet, said its data shows there are more than 156,000 potentially affected Palo Alto firewalls connected to the Internet, representing thousands of organizations.
Security firm Volexity, which first discovered and reported the Palo Alto vulnerability, said it found evidence of malicious exploitation dating back to March 26, about two weeks before Palo Alto released patches. Volexity said a government-backed threat actor called UTA0218 exploited the vulnerability to install a backdoor and gain further access to its victims’ networks. The government or nation state that UTA0218 works for is not yet known.
This Palo Alto zero day is the latest in a series of vulnerabilities discovered in recent months targeting enterprise security devices, such as firewalls, remote access tools and VPN products. These devices sit at the edge of an enterprise network and function as digital gatekeepers, but tend to contain serious vulnerabilities that render their security and defenses moot.
Earlier this year, security vendor Ivanti patched several critical zero-day vulnerabilities in its VPN product, Connect Secure, which allows employees to remotely access a company’s systems over the Internet. At the time, Volexity linked the intrusions to a Chinese-backed hacker group, and massive exploitation of the flaw quickly followed. Given the widespread use of Ivanti products, the US government has warned federal agencies to update their systems and the US National Security Agency has said it is monitoring their potential exploitation across the base American defense industry.
And technology company ConnectWise, which makes the popular ScreenConnect screen sharing tool used by IT administrators to provide remote technical support, fixed vulnerabilities that researchers deemed “embarrassing and easy to exploit” and also led to the massive exploitation of corporate networks.
Read more on TechCrunch:
techcrunch
