Follow on X RSS Feed
News

Palo Alto Confirms Ongoing Exploits Against PAN OS Management Interfaces

Cybersec Sentinel

3 min read
Palo Alto Confirms Ongoing Exploits Against PAN OS Management Interfaces

Threat Group: Unknown
Threat Type: Remote Code Execution (RCE) Vulnerability
Exploited Vulnerabilities: PAN-OS Firewall Management Interface
Malware Used: Web Shells
Threat Score: High (9.3/10) — Due to the critical nature of the vulnerability allowing unauthenticated remote command execution.
Last Threat Observation: November 16, 2024.

Overview

Palo Alto Networks has confirmed active exploitation of a critical zero-day vulnerability in its PAN-OS firewall management interface. This vulnerability, discovered externally and currently exploited in the wild, allows unauthenticated remote command execution. Threat actors are targeting a limited number of firewall management interfaces exposed to the internet, with the vulnerability rated critical (CVSS 9.3).

Palo Alto Networks advises customers to follow their deployment best practices by restricting management interface access to trusted internal IPs. Prisma Access and Cloud NGFW products are not affected. The company is actively investigating the issue, with plans to release patches and threat prevention signatures promptly.

This advisory, initially published on November 8, 2024, has been updated multiple times, including severity adjustments and the addition of IoCs.

Key Details

  • Delivery Method: Exploitation of exposed PAN-OS management interfaces accessible from the internet.
  • Target: Palo Alto Networks PAN-OS firewalls with internet-facing management interfaces.
  • Functions:
    • Unauthenticated remote command execution
    • Deployment of web shells for persistent remote access
    • Potential lateral movement and malicious activities
  • Obfuscation: Use of third-party VPNs and legitimate IPs to mask activities.

Attack Vectors

Threat actors exploit vulnerable PAN-OS firewalls by targeting exposed management interfaces. Malicious requests enable attackers to execute commands without authentication. Following exploitation, web shells are installed, allowing persistent remote access. Attackers require no user interaction or privileges to carry out these attacks.

Known Indicators of Compromise (IoCs)

Malicious IPs Observed:

  • 136.144.17[.]*
  • 173.239.218[.]251
  • 216.73.162[.]*

Malicious Web Shell Checksum:

  • SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

Mitigation and Prevention

  1. Restrict Management Interface Access:
    Ensure the PAN-OS management interface is accessible only from trusted internal IP addresses. Block all internet-facing access.
  2. Check Device Configuration:
    Use the Palo Alto Networks Customer Support Portal to identify devices requiring remediation (Asset Management Link).
  3. Apply Best Practices:
    Refer to Palo Alto Networks’ guide for securing management access (Best Practices Guide).
  4. Prepare for Updates:
    Monitor advisories and apply updates as soon as patches are released. Subscribe to RSS feeds for notifications.
  5. Monitor for IoCs:
    Actively monitor network traffic for malicious IPs and web shell activity.
  6. Use Cortex Tools for Exposure Assessment:
    Leverage Cortex Xpanse and Cortex XSIAM to identify exposed instances through automated alerts.

Solution

At this time, securing access to the management interface is the most effective mitigation. Organizations should verify that their devices are configured according to Palo Alto Networks' deployment best practices. Fixes and prevention signatures are forthcoming.

FAQs

Q: Is there active exploitation?
Yes, Palo Alto Networks has confirmed threat activity targeting a limited number of exposed firewall management interfaces.

Q: What are the IoCs?

  • IPs: 136.144.17[.], 173.239.218[.]251, 216.73.162[.]
  • Web Shell Checksum: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

Q: Are Prisma Access and Cloud NGFW affected?
No, these products are not affected.

Q: How were devices identified as vulnerable?
Routine nonintrusive scans identified internet-facing management interfaces, cross-referenced with customer accounts through IP-to-serial number mapping.

Conclusion

The active exploitation of this PAN-OS vulnerability highlights the urgent need for organizations to secure their firewall management interfaces. Immediate action to restrict access and monitor for IoCs will reduce the risk of compromise. Organizations must stay alert for updates from Palo Alto Networks to apply forthcoming patches and prevention measures.

Sources

  • Palo Alto Networks Security Advisory: "PAN-SA-2024-0015 Critical Security Bulletin: Ensure Access to Management Interface is Secured" Palo Alto Networks Security
  • The Hacker News: "PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released" The Hacker News
  • SecurityWeek: "Palo Alto Networks Confirms New Firewall Zero-Day Exploitation" SecurityWeek
  • InfoSecurity Magazine: "Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Actors" Infosecurity Magazine