On the heels of a concerning discovery, Palo Alto Networks is urging companies to take swift action and patch against a newly discovered zero-day vulnerability. The vulnerability, known officially as CVE-2024-3400, was found in newer versions of the PAN-OS software, commonly used in Palo Alto’s GlobalProtect firewall products. This critical vulnerability allows malicious hackers to remotely exploit an affected firewall without any authentication, giving them complete control over corporate networks. As a result, Palo Alto has given the bug a maximum severity rating and is urging customers to update their affected systems. The company has also warned that there has been a significant increase in attacks exploiting this zero-day vulnerability.
“We are aware of an increasing number of attacks targeting this zero-day vulnerability,” stated Palo Alto in a recent press release.
Adding to the urgency, Palo Alto initially recommended disabling telemetry to mitigate the vulnerability, but later clarified that this does not prevent exploitation. This has become a complicated situation as there is already public proof-of-concept code available, making it easier for anyone to launch attacks exploiting the zero-day.
According to The Shadowserver Foundation, a non-profit organization that tracks and analyzes malicious internet activity, there are over 156,000 potentially affected Palo Alto firewall devices connected to the internet. This means thousands of organizations are at risk from this vulnerability.
Volexity, the security firm that first discovered and reported the vulnerability to Palo Alto, has found evidence of malicious exploitation dating back to March 26th, two weeks before Palo Alto released fixes. The log of attacks shows a government-backed threat actor, known as UTA0218, exploiting the vulnerability to implant a backdoor and gain further access to victim networks. The government or nation state that UTA0218 works for is currently unknown.
“These malicious actors are taking advantage of the vulnerability in order to gain access to networks for future exploitation,” said Volexity’s founder, Steven Adair.
Unfortunately, this is not the first instance of critical vulnerabilities being discovered in corporate security devices. In recent months, many other companies have found themselves in a similar situation. For example, earlier this year, security vendor Ivanti fixed several critical zero-day vulnerabilities in its VPN product, Connect Secure, which provides employees with remote access to a company’s systems over the internet. This led to a mass exploitation of the flaw, which was quickly linked to a China-backed hacking group by Volexity.
“Given the widespread use of Ivanti’s products, the U.S. government has warned federal agencies to patch their systems,” reported TechCrunch.
In another incident, ConnectWise, the technology company responsible for the popular screen sharing tool ScreenConnect used by IT admins for providing remote technical support, also fixed vulnerabilities that were deemed “embarrassingly easy to exploit.” These vulnerabilities led to more mass exploitation of corporate networks, causing widespread concern in the cybersecurity community.
“We must remain vigilant, as these types of vulnerabilities can significantly compromise a company’s security and defenses,” warned a spokesperson from ConnectWise.
As cyber threats continue to evolve, it is crucial for companies to prioritize promptly patching any discovered vulnerabilities to better protect their networks and data. The recent incidents are a reminder of the importance of staying ahead of potential vulnerabilities in corporate security devices.
