Palo Alto Networks confronts issues as Shadowserver discovers approximately 2000 of its firewalls being manipulated
In a recent development, a disagreement has emerged between cybersecurity organisation Shadowserver and tech giant Palo Alto Networks over the number of compromised instances of Palo Alto Networks' PAN-OS firewalls.
Shadowserver, in collaboration with the Saudi National Cybersecurity Authority, reported that approximately 2,000 Palo Alto firewalls had been exploited. However, Palo Alto Networks has disputed this claim, asserting that the scale or characterisation of the exploitations cited by Shadowserver may not be accurate.
This disagreement revolves around the assessment and communication of the extent to which the PAN-OS operating system firewalls have been compromised, indicating a contrast between Shadowserver’s threat intelligence findings and Palo Alto Networks' official stance.
Palo Alto Networks has been actively working with potentially impacted customers and is committed to supporting their security. The company initially published a security advisory about an unconfirmed vulnerability in the PAN-OS management interface on November 8. A patch for the vulnerability, CVE-2024-0012, was issued by Palo Alto Networks on Monday. The initial exploitation of this vulnerability is being tracked by Palo Alto Networks' threat intelligence firm Unit 42 as Operation Lunar Peek.
Threat activity targeting this vulnerability was observed by Palo Alto Networks on November 14, and indicators of compromise were added by the company on November 15. Another vulnerability in PAN-OS, CVE-2024-9474, was also added to the Cybersecurity and Infrastructure Security Agency's known exploited vulnerabilities catalog on Monday.
On Thursday, Shadowserver scans showed that Palo Alto Networks customers' firewalls were compromised by a spree of exploits targeting a zero-day in the PAN-OS operating system. Shadowserver's research is a partial rebuttal to Palo Alto Networks' assertion that only a limited number of customers' firewall management interfaces have been exploited.
It is important to note that less than half a percent of Palo Alto Networks firewalls deployed by customers have an internet-exposed management interface. Palo Alto Networks senior manager, Steven Thai, has stated that the number of compromised instances is smaller than the figure reported by Shadowserver.
This ongoing dispute follows a series of actively exploited zero-days in Expedition and another maximum severity zero-day in PAN-OS earlier this year, highlighting the importance of timely security updates and vigilance in the face of cyber threats.
- Shadowserver's latest findings suggest a higher number of instances where Palo Alto Networks' PAN-OS firewalls have been compromised, contrasting with Palo Alto Networks' assertion that the scale of the exploitations might not be accurate.
- Palo Alto Networks' cybersecurity team has been actively responding to the incident and conducting an investigation, issuing a patch for the vulnerability CVE-2024-0012 on Monday.
- The disagreement over the number of compromised instances underscores the significance of threat intelligence, cybersecurity, and technology in assessing vulnerabilities and swiftly addressing cybersecurity incidents.
