Palo Alto Firewalls: CVE-2024-3400 Exploitation and PoCs for Persistence After Resets/Upgrades
-
Palo Alto Networks has confirmed the existence of proof-of-concept techniques enabling attackers to maintain persistence on their firewalls post-exploitation of CVE-2024-3400. However, they state that there's no evidence of malicious actors actively using these persistence methods. The vulnerability, initially thought to be a single zero-day exploit, was later revealed by Rapid7 to comprise two separate vulnerabilities. These allowed threat actors, likely state-backed, to conduct limited attacks, installing backdoors, stealing sensitive data, and moving laterally through targeted networks.
Palo Alto Networks has been updating their security advisories and providing mitigation advice since the initial warning. They emphasize the importance of implementing fixes promptly, even for customers who have applied mitigations. They've also advised customers to obtain a tech support file (TSF) before rebooting into a patched version of PAN-OS to ensure vital logs are preserved.
Unit 42, Palo Alto's threat intelligence team, reported that most incidents they've responded to involve unsuccessful exploit attempts or testing of the vulnerability. Limited instances of configuration file exfiltration and interactive access compromises were also noted.
Remediation recommendations have been published for customers at different levels of compromise. Additionally, Palo Alto Networks has acknowledged proof-of-concept persistence techniques developed by third parties, although there's no indication of active use by attackers. However, state-sponsored threat actors have previously demonstrated the ability to install persistent malware in other network appliances, highlighting ongoing concerns about cybersecurity vulnerabilities.
ที่มาแหล่งข่าว
https://www.helpnetsecurity.com/2024/04/30/palo-alto-firewalls-persistence-cve-2024-3400-exploitation/สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
