Thousands of Palo Alto Networks Firewalls Compromised
Allowing these attacks to progress could lead to more severe consequences.
Threat actors have exploited two zero-day vulnerabilities discovered in Palo Alto Networks firewall devices.
Arctic Wolf Labs is tracking intrusions across a range of industries involving Palo Alto Network firewall devices. Earlier this week, Palo Alto Networks disclosed two vulnerabilities in the operating system used on the firewall devices. Palo Alto Networks has released patches for the vulnerabilities.
According to the ShadowServer Foundation, thousands of Palo Alto Networks firewalls have been compromised via the vulnerabilities.
Palo Alto Networks sent us the following statement:
"It's important to understand the scale of our device ecosystem, which comprises hundreds of thousands of firewalls. While reports have circulated suggesting a specific number of impacted devices, it's crucial to note that 2,000 represents less than half of 1% of all Palo Alto Networks firewalls deployed globally that remain potentially unpatched. That said, even one potentially impacted device is one too many for us. This is why Palo Alto Networks has been relentless in its communications with customers to help secure their firewalls."
While widespread exploit attempts were not observed until after the vulnerability was publicly disclosed on Nov. 19, Palo Alto Networks said it's actively helping customers who were unable to take mitigating action in time and require additional support.
“When these vulnerabilities are exploited, we’ve observed a variety of activities, including exfiltration of device configurations and credentials, along with the deployment of various payloads including coinminers, botnet malware, PHP webshells and C2 frameworks,” Arctic Wolf Labs said. “While we’ve managed to intervene early when we’ve seen such activities occurring, allowing attacks to progress further in the cyber kill chain could lead to more severe consequences, such as ransomware attacks and disclosure of sensitive information.”
Targeting Misconfigured Palo Alto Networks Devices
Threat actors are liable to target organizations using Palo Alto Networks devices that are misconfigured, and organizations without strong external monitoring and alerting for perimeter devices are at a higher risk of severe consequences from intrusion, according to Arctic Wolf Labs.
“The first priority should be to ensure that firewall devices are not configured to expose their management interfaces on the public internet while ensuring that access is limited to trusted internal IP addresses,” the company said. “If this is neglected, organizations are at risk of not just this vulnerability, but potentially others in the future as well. This is in line with what Palo Alto Networks recommends. To facilitate an early response and stop these attacks before they become a major problem, external monitoring and alerting should be used for perimeter devices. Organizations should also pay close attention to unusual HTTP activity on such devices as it emerges, as described in our research.”
If these vulnerabilities remain unpatched in an organization’s environment, further exploitation could occur, Arctic Wolf Labs said.
“The threat activity we’ve described here only scratches the surface of how threat actors could leverage these vulnerabilities,” it said. “Beyond this vulnerability, we’ve seen a high amount of interest amongst threat actors to compromise firewalls and VPN gateway devices. We expect that trend to continue well into the coming year. There is no magic bullet to make these threats disappear, but organizations would benefit from proactive auditing and hardening of their security configurations to minimize their risks.”
Gaining Full Control
Patrick Tiquet, Keeper Security’s vice president of security and architecture, said the immediate danger is that attackers exploiting these vulnerabilities can gain full control over affected firewalls, compromising the very systems designed to protect sensitive networks.
Keeper Security's Patrick Tiquet
“This opens the door for malware deployment, data theft, lateral movement within the network and even complete network shutdowns,” he said. “For organizations relying on these firewalls, this could mean business disruption, loss of sensitive data, and exposure to regulatory and financial consequences.”
Beyond patching, security teams must prioritize assessing the potential damage from compromised firewalls, Tiquet said. This includes checking for unauthorized access, scanning for malware and reviewing configurations to ensure no additional vulnerabilities were introduced during the attack.
“Organizations should also adopt a proactive approach to managing their attack surface, such as restricting access to management interfaces, implementing strong authentication and leveraging privileged access management (PAM) solutions to protect administrative controls,” he said. “While patching is critical, ongoing vigilance and layered defenses are equally essential to minimize risks from similar threats in the future.”
About the Author
You May Also Like