Palo Alto Networks released new indicators of compromise (IoC) a day after the network security vendor confirmed that a new zero-day vulnerability affecting the PAN-OS firewall management interface is in active use in the wild.
To this end, the company said he observed malicious activity originating from the IP addresses below and targeting the PAN-OS web management interface IP addresses accessible over the Internet –
- 136.144.17(.)*
- 173.239.218(.)251
- 216.73.162(.)*
The company warned, however, that these IP addresses may represent “third-party VPNs with legitimate user activity originating from these IP addresses to other destinations.”
An updated advisory from Palo Alto Networks indicates that the flaw is being used to deploy a web shell on compromised devices, allowing threat actors to gain permanent remote access.
The vulnerability, which has not yet been assigned a CVE ID, has a CVSS score of 9.3, indicating critical severity. This allows remote command execution without authentication.
According to the company, the vulnerability does not require user interaction or privileges to exploit, and its attack complexity has been rated as “low”.
However, the severity of the flaw is reduced to high (CVSS score: 7.5) if access to the management interface would be restricted to a limited pool of IP addresses, in which case the threat actor would first need to gain privileged access to those IPs addresses.
November 8, 2024 Palo Alto Networks began advises customers to secure their firewall management interfaces amid reports of a remote code execution (RCE) flaw. It was from that time confirmed that the mysterious vulnerability was exploited against a “limited number” of instances.
At the moment, there are no details about how the vulnerability was discovered, who the threat was behind the exploitation and the goals of these attacks. Prisma Access and Cloud NGFW products are not affected by the flaw.
Patches for the vulnerability have not yet been released, making it imperative that users take immediate steps to secure access to the management interface if they haven’t already.
The recommendation comes as three different critical flaws in Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) are actively exploited, according to the US Cybersecurity and Infrastructure Security Agency (CISA). At this stage, there is no evidence that the activity is related.
(This is a developing story. Please check back for more updates.)
