1(520) 261-1728

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

1000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole

#### [CSO](/security/cso/)**5** 1000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole==================================================================================**5** PAN-PAN! Intruders inject web shell backdoors, crypto-coin miners, more———————————————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 22 Nov 2024 // 21:27 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole) [](https://twitter.com/intent/tweet?text=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole&url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole&summary=PAN-PAN%21%20Intruders%20inject%20web%20shell%20backdoors%2c%20crypto-coin%20miners%2c%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Thousands of Palo Alto Networks firewalls were compromised by attackers exploiting two recently patched security bugs. The intruders were able to deploy web-accessible backdoors to remotely control the equipment as well as cryptocurrency miners and other malware.Roughly 2,000 devices had been hijacked as of Wednesday – a day after Palo Alto Networks pushed a patch for the holes – according to [Shadowserver](https://bsky.app/profile/shadowserver.bsky.social/post/3lbh6k7p7pc27) and [Onyphe](https://bsky.app/profile/onyphe.bsky.social/post/3lbcv5ngbys2m). As of Thursday, the number of seemingly compromised devices had dropped to [about 800](https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2024-11-21&source=compromised_website&source=compromised_website6&tag=panos-compromised%2B&geo=all&data_set=count&scale=log).The vendor, however, continues to talk only of a ‘limited number’ of exploited installations. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cso&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0Gn9e3YiF9DonCTha97nQAAARI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)’Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network,’ according to the supplier’s security advisories for the two flaws. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cso&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0Gn9e3YiF9DonCTha97nQAAARI&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cso&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0Gn9e3YiF9DonCTha97nQAAARI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)*The Register* has asked for clarification, including how many compromised devices Palo Alto Networks is aware of, and will update this story if and when we hear back from the vendor.Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cso&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0Gn9e3YiF9DonCTha97nQAAARI&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)The manufacturer did eventually [admit](https://www.theregister.com/2024/11/15/palo_alto_networks_firewall_zeroday/) that the firewall-busting vulnerability existed, and had been exploited as a zero-day – but it was still working on a patch.On Tuesday, PAN issued a fix, and at that time said there were actually [two vulnerabilities](https://www.theregister.com/2024/11/19/palo_alto_networks_patches/). The first is a critical (9.3 CVSS) authentication bypass flaw tracked as [CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012). The second, a medium-severity (6.9 CVSS) privilege escalation bug tracked as [CVE-2024-9474](https://security.paloaltonetworks.com/CVE-2024-9474).The two can be chained together to allow remote code execution (RCE) against the PAN-OS management interface. As Wiz threat researchers [explained](https://www.wiz.io/blog/cve-2024-0012-pan-os-vulnerability-exploited-in-the-wild) in a Friday blog about the two bugs: An attacker with network access to the interface can exploit CVE-2024-0012 to bypass authentication and then leverage CVE-2024-9474 to escalate privileges, ultimately gaining administrator access and executing arbitrary administrative actions.Wiz says the exploits against the two have been observed since Sunday, and ‘dramatically increased’ after a proof-of-concept [exploit](https://github.com/rapid7/metasploit-framework/pull/19663) went public on Tuesday.* [Palo Alto Networks tackles firewall-busting zero-days with critical patches](https://www.theregister.com/2024/11/19/palo_alto_networks_patches/)* [Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit](https://www.theregister.com/2024/11/15/palo_alto_networks_firewall_zeroday/)* [‘Alarming’ security bugs lay low in Linux’s needrestart server utility for 10 years](https://www.theregister.com/2024/11/21/qualys_needrestart_linux_vulnerabilities/)* [China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer](https://www.theregister.com/2024/11/19/china_brazenbamboo_fortinet_0day/)While we don’t yet know who is exploiting these vulnerabilities – we’ve asked Palo Alto Networks about this, too – once the attackers break in, they are using this access to deploy web shells, Sliver implants, and/or crypto miners, according to Wiz.’In multiple instances, we’ve identified re-use of the same Sliver implant ([b4378712adf4c92a9da20c0671a06d53cbd227c8](https://www.virustotal.com/gui/file/a3092bfa4199def7fc525465895ee3784c6fcf55f0a7e9c8436c027e0f41cb4b)) which uses 77.221.158-[.-]154 as its C2 address,’ the threat intel team wrote. ‘This IP address has previously resolved the domain censysinspect-[.-]com, though the domain has since been parked.’The domain also has been used as a command-and-control address for ‘several’ other Sliver implants, some of which have been spotted on other compromised PAN-OS devices, Wiz noted.’This could indicate that this particular threat actor has been opportunistically compromising PAN-OS devices using various methods over a period of several months, and has also been using them to stage malware,’ the blog says. ® [Sponsored: Join in the festive cybersecurity fun](https://go.theregister.com/tl/3110/shttps://www.theregister.com/2024/11/19/join_in_the_festive_cybersecurity/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole) [](https://twitter.com/intent/tweet?text=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole&url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole&summary=PAN-PAN%21%20Intruders%20inject%20web%20shell%20backdoors%2c%20crypto-coin%20miners%2c%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybercrime](/Tag/Cybercrime/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Security](/Tag/Security/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole) [](https://twitter.com/intent/tweet?text=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole&url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=1000s%20of%20Palo%20Alto%20Networks%20firewalls%20hijacked%20as%20miscreants%20exploit%20critical%20hole&summary=PAN-PAN%21%20Intruders%20inject%20web%20shell%20backdoors%2c%20crypto-coin%20miners%2c%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **5** COMMENTS #### More about* [Cybercrime](/Tag/Cybercrime/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Security](/Tag/Security/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploitYank access to management interface, statCSO8 days -| 28](/2024/11/15/palo_alto_networks_firewall_zeroday/?td=keepreading) [#### Healthcare org Equinox notifies 21K patients and staff of data theftRansomware scum LockBit claims it did the dirty deedCyber-crime3 days -| 1](/2024/11/20/equinox_patients_employees_data/?td=keepreading) [#### Palo Alto Networks tackles firewall-busting zero-days with critical patchesAmazing that these two bugs got into a production appliance, say researchersPatches4 days -| 4](/2024/11/19/palo_alto_networks_patches/?td=keepreading) [#### AI-assisted malware resistance, response and recoveryHow visibility into the life of an IO all the way from the storage controller to the flash media aids cyber protectionSponsored Feature](/2024/10/01/aiassisted_malware_resistance_response_and/?td=keepreading) [#### China’s Volt Typhoon crew and its botnet surge back with a vengeanceOhm, for flux sakePublic Sector10 days -| 4](/2024/11/13/china_volt_typhoon_back/?td=keepreading) [#### Data broker amasses 100M+ records on people — then someone snatches, sells itWe call this lead degenerationCyber-crime10 days -| 18](/2024/11/13/demandscience_data/?td=keepreading) [#### T-Mobile US ‘monitoring’ China’s ‘industry-wide attack’ amid fresh security breach fearsupdated Un-carrier said to be among those hit by Salt Typhoon, including AT-&T, VerizonNetworks5 days -| 2](/2024/11/18/tmobile_us_attack_salt_typhoon/?td=keepreading) [#### Reminder: China-backed crews compromised ‘multiple’ US telcos in ‘significant cyber espionage campaign’Updated Feds don’t name Salt Typhoon, but describe Beijing band’s alleged deedsResearch9 days -| 5](/2024/11/14/salt_typhoon_hacked_multiple_telecom/?td=keepreading) [#### China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealerNo word on when or if the issue will be fixedSecurity3 days -| 2](/2024/11/19/china_brazenbamboo_fortinet_0day/?td=keepreading) [#### Ford ‘actively investigating’ after employee data allegedly parked on leak siteUpdated Plus: Maxar Space Systems confirms employee info stolen in digital intrusionSecurity4 days -| 3](/2024/11/18/ford_actively_investigating_breach/?td=keepreading) [#### Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumbleIf you didn’t fix this a month ago, your to-do list probably needs a reshuffleVirtualization4 days -| 4](/2024/11/18/vmware_vcenter_rce_exploited/?td=keepreading) [#### Will passkeys ever replace passwords? Can they?Systems Approach Here’s why they really shouldSecurity6 days -| 115](/2024/11/17/passkeys_passwords/?td=keepreading)

Related Tags:
DEV-0391

UNC3236

Voltzite

Vanguard Panda

CVE-2024-0012

CVE-2024-9474

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

Associated Indicators:
B4378712ADF4C92A9DA20C0671A06D53CBD227C8

censysinspect.com

Search

Popular Posts

Categories

Archives

Tags

Follow Us