Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Incident Response

Palo Alto Networks Shares Remediation Advice for Hacked Firewalls

Palo Alto Networks has shared remediation instructions for organizations whose firewalls have been hacked via CVE-2024-3400.

Palo Alto Networks

Palo Alto Networks has shared remediation instructions for organizations whose firewalls have been hacked through the exploitation of the vulnerability tracked as CVE-2024-3400.

On Wednesday, the cybersecurity giant updated its advisory for CVE-2024-3400 to include a link to a knowledge base article providing remediations depending on the exploitation attempt’s level of success.

Palo Alto Networks previously provided information on checking whether a device has been compromised or targeted by threat actors.

Customers that detect unsuccessful exploitation attempts have been advised to update to the latest PAN-OS hotfix. The same must be done by organizations that find evidence of someone testing their firewall to see if it’s vulnerable — this typically involves creating an empty file on the firewall, but no unauthorized commands are executed.

Palo Alto Networks initially released patches only for some of the impacted PAN-OS versions, but fixes are now available for all versions. 

If there are signs of potential data exfiltration — this involves a file such as ‘running_config.xml’ being copied to a location that is accessible via web requests — customers must not only update PAN-OS but also perform a private data reset, which eliminates the risk of device data misuse.

Companies that find evidence of interactive command execution, which is the worst case scenario, need to perform a factory reset of the device in addition to updating PAN-OS. If the attacker has executed commands, they may have deployed backdoors or exfiltrated data. 

Palo Alto noted that the private data reset and factory reset will remove the possibility of capturing forensic artifacts that may be needed to conduct an investigation.

Advertisement. Scroll to continue reading.

Attacks exploiting CVE-2024-3400 to hack Palo Alto firewalls came to light on April 12, when the vendor and cybersecurity firm Volexity issued warnings about the zero-day being leveraged in limited attacks.

Volexity has yet to link the activity to a known threat actor or operation, but it’s confident that a state-sponsored group is behind the attack. Some members of the cybersecurity industry claim to have found links to North Korea, but this has yet to be corroborated.

Volexity tracks the threat actor as UTA0218 and Palo Alto is tracking the initial exploitation of the vulnerability as Operation MidnightEclipse. Exploitation has increased following the release of PoC code. 

The number of internet-exposed devices that may be vulnerable to attacks has been decreasing, according to data from the Shadowserver Foundation, but there are still a few thousand devices that hackers may be able to compromise.

Related: Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability

Related: Cisco Raises Alarm for ‘ArcaneDoor’ Zero-Days Hitting ASA Firewall Platforms

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights