Skip to main content
close search
site logo
Dive Brief

Palo Alto Networks pushes back as Shadowserver spots 2K of its firewalls exploited

The security vendor maintains only a limited number of customers’ firewalls have been exploited by a zero-day it patched earlier this week.

Published Nov. 22, 2024
Matt Kapko's headshot
Senior Reporter
Programming scripts on laptop monitor, unauthorized remote hacking of server
Motortion via Getty Images

Dive Brief:

  • Shadowserver researchers and Palo Alto Networks are disputing the number of compromised instances in the security vendor’s PAN-OS operating system. While Shadowserver identified around 2,000 compromised instances, Palo Alto Networks said it was less extensive. 
  • About Palo Alto Networks customers’ firewalls are compromised by a widening spree of exploits targeting a zero-day in the security vendor’s PAN-OS operating system, Shadowserver scans showed Thursday.
  • Palo Alto Networks disputed Shadowserver’s findings. “While we can’t confirm the exact number, I can tell you it is a smaller number,” Steven Thai, senior manager of global crisis communications and reputation management at Palo Alto Networks, said in a Thursday email.

Dive Insight:

Shadowserver, a nonprofit that shares daily analysis with more than 200 national computer security incident response teams, typically scans for devices exposed to the internet and potentially vulnerable to known exploits. 

Yet, in this case, Shadowserver’s research and collaboration with the Saudi National Cybersecurity Authority identified artifacts left behind by attackers, which can be detected remotely, Shadowserver CEO Piotr Kijewski said in a Friday email. 

Shadowserver’s research is a partial rebuttal to Palo Alto Networks’ assertion that only a limited number of customers’ firewall management interfaces have been exploited.

“The ecosystem of firewalls overall is millions. But our perspective is that even one impacted firewall is one too many and that is why we frequently communicate and post when we see any potential vulnerability,” Thai said. 

“Less than half a percent of Palo Alto Networks firewalls deployed by customers have an internet-exposed management interface.”

The security vendor initially published a security advisory about an unconfirmed vulnerability in the PAN-OS management interface on Nov. 8. The company observed threat activity targeting the vulnerability on Nov. 14 and added indicators of compromise on Nov. 15. 

On Monday, a CVE was assigned to the critical authentication bypass vulnerability, CVE-2024-0012, and Palo Alto Networks issued a patch. The Cybersecurity and Infrastructure Security Agency added CVE-2024-0012 and CVE-2024-9474, another vulnerability in PAN-OS that can be exploited in tandem, to its known exploited vulnerabilities catalog on Monday.

Shadowserver scans identified an increase in threat activity targeting the CVEs starting Tuesday, when more threat groups presumably began exploiting the vulnerabilities, Kijewski said. 

Palo Alto Networks threat intelligence firm Unit 42 is tracking the initial exploitation of CVE-2024-0012 as Operation Lunar Peek

“We are actively working with those who may be impacted and are committed to supporting the security of our customers,” Thai said.

The active exploits of Palo Alto Networks customers’ firewalls follows a trio of actively exploited zero-days in Expedition, the company’s tool for migrating customers over from other vendors, earlier this month. Attackers also hit a maximum severity zero-day in PAN-OS earlier this year.

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell