5 Things To Know About The Latest Firewall, VPN Attacks

Cisco’s Talos research team says it’s monitoring a ‘global increase in brute-force attacks’ against targets including VPN services, while an exploit has been released for a critical vulnerability in Palo Alto Networks’ PAN-OS firewall software.

Hackers continue to escalate their targeting of network security devices and remote access services as a means of breaching customer environments, as underscored by a pair of new disclosures Tuesday.

In a blog post, Cisco’s Talos research team said it’s monitoring a “global increase in brute-force attacks” against targets including VPN services. Meanwhile, an offensive security firm released an exploit for the recently disclosed, maximum-severity vulnerability affecting several versions of Palo Alto Networks’ PAN-OS firewall software.

[Related: Fortinet Discloses Vulnerabilities In FortiOS, FortiProxy, FortiClient Linux And Mac]

Given the prime position of network security products, there’s no question that “they are big targets for attackers of all stripes,” said Caitlin Condon, director of vulnerability research and intelligence at Rapid7, in an interview.

What follows are five key things to know about the latest major firewall and VPN attacks.

PAN-OS Exploit Released

On Friday, Palo Alto Networks disclosed a critical-severity vulnerability affecting the PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 versions of the firewall software.

Notably, the zero-day vulnerability had already seen exploitation at the time of its disclosure, according to the company. The vendor’s advisory continued to say as of Tuesday afternoon that only a “limited number of attacks” exploiting the vulnerability have been observed.

Palo Alto Networks released the first patches for addressing the flaw Monday. The vendor said the vulnerability (tracked at CVE-2024-3400) has been judged to be a “critical” issue, with the maximum severity rating of 10.0 out of 10.0.

On Tuesday, offensive security firm watchTowr Labs released proof-of-concept exploit code, which is “ultimately executed as a shell command” on vulnerable Palo Alto Networks firewalls, according to a blog post.

Strong Response Efforts

Palo Alto Networks has responded quickly following the discovery of the critical vulnerability, and has been open with sharing information, Rapid7’s Condon told CRN.

The issue was discovered by researchers at cybersecurity firm Volexity, which also had found evidence of exploitation of the vulnerability in the wild.

In response, the advisories from Palo Alto Networks “were transparent with that information, even before patches were fully available,” Condon said.

The company provided mitigations in connection with the vulnerability disclosure, she noted — and the message was essentially, “‘Mitigate now, and we’ll get you the patches as soon as we can.’”

Palo Alto Networks also followed through by releasing the first set of patches on Sunday, Condon said. “Clearly they worked through the weekend to make that happen,” she said.

VPN Attack Campaign

In a separate disclosure Tuesday, researchers at Cisco Talos warned about a wave of attacks that’ve been observed over the past month, including against widely used VPN services.

The attacks have focused on “brute-force” password guessing tactics and have also targeted SSH (Secure Shell) services as well as authentication interfaces for web applications, according to the Talos research team.

The cyberattack campaign has been ongoing since “at least” March 18. “Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,” the researchers wrote in a post. “The traffic related to these attacks has increased with time and is likely to continue to rise.”

Affected Services

The Talos researchers listed a number of “known affected services” in the attack campaign. Those services include Cisco’s Secure Firewall VPN offering as well as VPN services from Check Point, Fortinet and SonicWall and Ubiquiti, according to Talos.

“However, additional services may be impacted by these attacks,” the researchers wrote.

CRN has reached out to Cisco, Check Point, Fortinet, SonicWall and Ubiquiti for comment.

Growing Risk

The bigger context for the attacks targeting firewall devices and VPN services is that “these are devices that were made decades ago,” said Deepen Desai, chief security officer and senior vice president of security engineering and research at Zscaler.

“It’s served its purpose for sure, whether it's a VPN or a firewall,” Desai told CRN. However, “the threat landscape was completely different back then,” he said.

Particularly when it comes to zero-day exploits in firewalls, the impact today can be “enormous,” Desai said. “The threat actor is able to get in without having a key to your house and able to do anything inside the house. Everything is reachable.”