Palo Alto Networks has released fixes for a zero-day vulnerability affecting its GlobalProtect VPN product that is being targeted following its disclosure last week. Hotfixes for the vulnerability labeled: CVE-2024-3400, were recently published, as promised in an urgent notice about the bug on 12 April. The zero-day carries the highest severity score possible of 10.[1]
Security company Volexity, which Palo Alto credited with discovering the bug, said it “is highly likely” the attacker behind the exploitation is a state-backed threat actor and that the first attacks date back to at least 26 March. Palo Alto said it is “aware of a limited number of attacks,” and Volexity detailed at least six incidents in its rundown of how the bug was initially found.[2]
Multiple cybersecurity experts said that since Friday’s notice attackers have swarmed the vulnerability seeking to exploit it, something Volexity warned of in its blog post from last week. Researchers found thousands of vulnerable instances of the tool exposed to the internet around the world, and one cybersecurity company said it saw “actors possibly associated with BianLian/Lazarus” targeting the vulnerability.[3]
Yaron Kassner, co-founder of cybersecurity firm Silverfort, told Recorded Future News that the vulnerability is a boon to attackers because the devices are accessible from the internet and allow entry into victim networks — enabling hackers to move laterally once inside. “Silverfort is seeing increased attacker activity following the publication of CVE-2024-3400,” he said. “Once the attacker compromises the device, the next stage is to move laterally to gain access to sensitive assets inside the network, as reported by Volexity. The attackers need credentials to do it, and they naturally used the same service account used by GlobalProtect.”
The Cybersecurity and Infrastructure Security Agency (CISA) added the VPN flaw to its list of known exploited vulnerabilities almost immediately, signaling urgency in the need for federal agencies to patch the bug.
Palo Alto Networks’ own security team, Unit 42, attributed the initial targeting of the vulnerability to a single threat actor but noted that “additional threat actors may attempt exploitation in the future.”
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://therecord.media/palo-alto-networks-fixes-vpn-zero-day/
[2] https://security.paloaltonetworks.com/CVE-2024-3400
[3] https://twitter.com/Netlas_io/status/1778814273650573796
Comments