In a recent significant cyberattack, over 2000 Palo Alto Network firewalls have been compromised by attackers exploiting two recently patched vulnerabilities. Palo Alto provides cybersecurity services to enterprises, government and service providers. According to UK based Shadow server Foundation the number of breaches in US and India on Palo Alto network firewalls were in the hundreds. The breach was associated to two vulnerabilities tracked as CVE-2024-0012 and CVE-2024-9474. The attackers utilised these vulnerabilities to deploy malicious software, exfiltrate sensitive data, and disable critical security measures. These actions leaves organisations exposed to additional risks, including data breaches and further exploitation.
CVE-2024-0012 is an authentication bypass vulnerability in the management web interface of Palo Alto Networks’ PAN-OS. It allows attackers to gain administrator-level access without requiring valid credentials. This flaw is particularly concerning as it opens the door for attackers to take over devices remotely. Coupled with CVE-2024-9474, a privilege escalation vulnerability that enables attackers to execute commands with root privileges, the two vulnerabilities present a potent threat. In simple terms, the flaw (CVE-2024-0012) allowed attackers to slip through into the network without needing a password—like entering a locked house through an open window. The other flaw (CVE-2024-9474) lets them take full control of the system, allowing them to do whatever they wanted, from stealing information to shutting things down, or having keys to all the safes within the building.
Experts have warned that many organisations failed to apply the necessary patches promptly, despite Palo Alto Networks releasing fixes for both vulnerabilities. This delayed response highlights a recurring challenge in cybersecurity which is to ensure organisations conduct a timely updates to critical infrastructure. To add to the issue, many organisations exposed the management interfaces of their firewalls to the internet, contrary to best practices, which recommends limiting access to trusted internal networks or specific IP addresses.
Palo Alto Networks has responded to the attack by urging all businesses using their firewalls to install the updates immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added these vulnerabilities to its Known Exploited Vulnerabilities Catalogue, urging federal agencies to patch their systems by early December 2024. The Shadowserver Foundation and other cybersecurity groups have also emphasised the urgency of addressing these issues, noting that attackers are actively scanning for unpatched systems to exploit.
This breach serves as a stark reminder of the importance of having a robust cybersecurity practices. Organisations must prioritise regular patch management to ensure their systems are protected against known threats. Additionally, administrative interfaces needs securing through tight access control and network traffic needs monitoring to mitigate the risks.
Cybersecurity is an ongoing process, not a one-time effort, and this incident serves as a sobering reminder of what is at stake when vulnerabilities are unaddressed. As businesses become more reliant on digital infrastructure, the importance of robust cybersecurity measures cannot be overstated.
