Palo Alto Networks has shared remediation instructions for organizations whose firewalls have been hacked through the exploitation of the vulnerability tracked as CVE-2024-3400.
On Wednesday, the cybersecurity giant updated its advisory for CVE-2024-3400 to include a link to a knowledge base article providing remediations depending on the exploitation attempt’s level of success.
Palo Alto Networks previously provided information on checking whether a device has been compromised or targeted by threat actors.
Customers that detect unsuccessful exploitation attempts have been advised to update to the latest PAN-OS hotfix. The same must be done by organizations that find evidence of someone testing their firewall to see if it’s vulnerable — this typically involves creating an empty file on the firewall, but no unauthorized commands are executed.
Palo Alto Networks initially released patches only for some of the impacted PAN-OS versions, but fixes are now available for all versions.
If there are signs of potential data exfiltration — this involves a file such as ‘running_config.xml’ being copied to a location that is accessible via web requests — customers must not only update PAN-OS but also perform a private data reset, which eliminates the risk of device data misuse.
Companies that find evidence of interactive command execution, which is the worst case scenario, need to perform a factory reset of the device in addition to updating PAN-OS. If the attacker has executed commands, they may have deployed backdoors or exfiltrated data.
Palo Alto noted that the private data reset and factory reset will remove the possibility of capturing forensic artifacts that may be needed to conduct an investigation.
Attacks exploiting CVE-2024-3400 to hack Palo Alto firewalls came to light on April 12, when the vendor and cybersecurity firm Volexity issued warnings about the zero-day being leveraged in limited attacks.
Volexity has yet to link the activity to a known threat actor or operation, but it’s confident that a state-sponsored group is behind the attack. Some members of the cybersecurity industry claim to have found links to North Korea, but this has yet to be corroborated.
Volexity tracks the threat actor as UTA0218 and Palo Alto is tracking the initial exploitation of the vulnerability as Operation MidnightEclipse. Exploitation has increased following the release of PoC code.
The number of internet-exposed devices that may be vulnerable to attacks has been decreasing, according to data from the Shadowserver Foundation, but there are still a few thousand devices that hackers may be able to compromise.
Related: Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability
Related: Cisco Raises Alarm for ‘ArcaneDoor’ Zero-Days Hitting ASA Firewall Platforms
