Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed
Nov. 25, 2024, 5:28 p.m.
Tags
External References
Description
Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C2 framework and coinminer binaries. Threat actors injected malicious commands into firewall login attempts, deployed PHP webshells, exfiltrated sensitive configuration files and credentials, and in some cases installed XMRig cryptocurrency miners. The campaign demonstrates rapid exploitation of newly disclosed vulnerabilities in perimeter devices. Defenders are advised to implement robust external monitoring, restrict management interfaces, and patch vulnerable systems promptly.
Date
Published: Nov. 25, 2024, 4:01 p.m.
Created: Nov. 25, 2024, 4:01 p.m.
Modified: Nov. 25, 2024, 5:28 p.m.
Indicators
a3092bfa4199def7fc525465895ee3784c6fcf55f0a7e9c8436c027e0f41cb4b
95.164.5.41
93.113.25.46
77.221.158.154
46.8.226.75
38.60.214.5
38.180.147.18
180.210.220.139
156.244.14.127
143.198.1.178
107.191.48.109
104.131.69.106
sys.traceroute.vip
img.dxyjg.com
Attack Patterns
Sliver C2
XMRig
T1003.008
T1070.003
T1074.001
T1119
T1070.006
T1105
T1027
T1560
T1190
T1068