Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C2 framework and coinminer binaries. Threat actors injected malicious commands into firewall login attempts, deployed PHP webshells, exfiltrated sensitive configuration files and credentials, and in some cases installed XMRig cryptocurrency miners. The campaign demonstrates rapid exploitation of newly disclosed vulnerabilities in perimeter devices. Defenders are advised to implement robust external monitoring, restrict management interfaces, and patch vulnerable systems promptly. Author: AlienVault
Related Tags:
palo alto networks
Sliver C2
cve-2024-0012
cve-2024-9474
vulnerability exploitation
T1074.001
T1070.006
T1003.008
T1070.003
Associated Indicators:
107.191.48.109
38.60.214.5
38.180.147.18
180.210.220.139
95.164.5.41
156.244.14.127
77.221.158.154
143.198.1.178
46.8.226.75