Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed

Description

Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C2 framework and coinminer binaries. Threat actors injected malicious commands into firewall login attempts, deployed PHP webshells, exfiltrated sensitive configuration files and credentials, and in some cases installed XMRig cryptocurrency miners. The campaign demonstrates rapid exploitation of newly disclosed vulnerabilities in perimeter devices. Defenders are advised to implement robust external monitoring, restrict management interfaces, and patch vulnerable systems promptly.