Palo Alto Networks urged companies this week to patch a newly discovered zero-day vulnerability in one of its widely used security products after malicious hackers began exploiting the flaw to break into corporate networks.
Vulnerability is officially known as CVE-2024-3400 and was found in newer versions of the PAN-OS software running on Palo Alto’s GlobalProtect firewall products. Because the vulnerability allows hackers to gain full control of an affected firewall over the Internet without authentication, Palo Alto gave the bug a maximum severity rating. The ease with which hackers can remotely exploit the flaw puts thousands of companies that rely on firewalls at risk of intrusions.
Palo Alto said customers should update their affected systems, warning that the company is “aware of an increasing number of attacks” exploiting this zero-day – described as such because the company didn’t have time to fix the bug before it was maliciously exploited. Adding another complication, Palo Alto initially suggested disabling telemetry to mitigate the vulnerability, but said this week that disabling telemetry does not prevent the exploit.
The company also said there is public proof-of-concept code that allows anyone to launch zero-day attacks.
The Shadowserver Foundation, a non-profit organization that collects and analyzes data on malicious activity online, said show its details There are more than 156,000 potentially affected Palo Alto Firewall devices connected to the internet, representing thousands of organizations.
Security company Volexity, which first discovered and reported the vulnerability in Palo Alto, said it found evidence of the exploit dating back to March 26, about two weeks before Palo Alto released fixes. Volexity said a government-sponsored threat actor it calls UTA0218 exploited the vulnerability to create a backdoor and gain further access to its victims’ networks. The government or nation state that UTA0218 works for is not yet known.
The Palo Alto zero-day is the latest in a series of vulnerabilities discovered in recent months targeting corporate security devices — such as firewalls, remote access tools and VPN products. These devices sit at the edge of a corporate network and act as digital gatekeepers, but they tend to contain serious vulnerabilities that make their security and defense questionable.
Earlier this year, security vendor Ivanti patched several critical zero-day vulnerabilities in its VPN product, Connect Secure, which allows employees to remotely access a company’s systems over the Internet. At the time, Volexity linked the intrusions to a Chinese-backed hacking group, and mass exploitation of the flaw quickly followed. Given the widespread use of Ivanti’s products, the US government warned federal agencies to patch their systems, and the US National Security Agency said it was monitoring potential exploitation across the US defense industrial base.
And technology company ConnectWise, which makes the popular screen-sharing tool ScreenConnect used by IT administrators to provide remote technical support, patched vulnerabilities that researchers deemed “embarrassingly easy to exploit” and also led to mass exploitation of corporate networks.
Read more at TechCrunch:
