Headline
Operation Lunar Peek: More Than 2,000 Palo Alto Network Firewalls Hacked
The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012…
The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012 & CVE-2024-9474, enabling admin bypass and root access. Top targets: US & India.
Cybersecurity researchers at Shadowserver have revealed that approximately 2,000 Palo Alto Networks firewalls have been compromised. The breaches leverage two recently identified zero-day vulnerabilities in the company’s PAN-OS software. These vulnerabilities have been labeled as CVE-2024-0012 and CVE-2024-9474.
****The Vulnerabilities****
CVE-2024-0012: This vulnerability is an authentication bypass in the PAN-OS management web interface. It allows remote attackers to gain administrator privileges without authentication. This means attackers can tamper with firewall settings, making them more susceptible to further exploitation.
CVE-2024-9474: This flaw is a privilege escalation issue. Once exploited, it lets attackers execute commands with root privileges, giving them full control over the compromised firewall.
Heads-up! Thanks to collaboration with the Saudi NCA we are now scanning & reporting Palo Alto Networks devices COMPROMISED as a result of a CVE-2024-0012/CVE-2024-9474 campaign. Found ~2000 instances compromised on 2024-11-20: dashboard.shadowserver.org/statistics/c… Top affected: US & India
— The Shadowserver Foundation (@shadowserver.bsky.social) November 21, 2024 at 9:45 AM
****Operation Lunar Peek – Ongoing Threat Activity****
Palo Alto Networks has named the initial exploitation of these vulnerabilities “Operation Lunar Peek.” Palo Alto Networks initially warned customers on November 8 about restricting access to their next-generation firewalls due to an unspecified remote code execution flaw.
Since then, the company has observed a notable increase in threat activity following the public release of technical insights by third-party researchers on November 19, 2024.
Unit 42, Palo Alto Networks threat intelligence team, assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which could lead to broader threat activity.
The company is currently investigating the ongoing attacks, which involve chaining these two vulnerabilities to target a limited number of device management web interfaces. The company has observed threat actors dropping malware and executing commands on compromised firewalls, indicating that a chain exploit is likely already in use.
****Recommendations for Users****
Palo Alto Networks has provided several recommendations to mitigate the risk:
- Monitor and Review: Users should monitor for any suspicious or abnormal activity on devices with a management web interface exposed to the internet. After applying the patch, it is crucial to review firewall configurations and audit logs for any signs of unauthorized administrator activity.
- Patch Immediately: Customers are advised to update their systems to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Detailed information about affected products and versions can be found in the Palo Alto Networks Security Advisories.
- Restrict Access: To reduce the risk, Palo Alto Networks recommends restricting access to the management web interface to only trusted internal IP addresses. This is in line with their recommended best practice deployment guidelines.
****Expert Insights****
Elad Luz, Head of Research at Oasis Security, emphasizes the importance of immediate action even before patching. He advises affected customers to restrict access to the web management interface, preferably allowing only internal IPs. Luz also stresses the need to ensure that devices are free from any potential malware or malicious configurations after patching.
- Palo Alto Patches 0-Day Exploited by Python Backdoor
- Authentication bypass Flaw found in NATO approved firewall
- Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
- CISA Urges Patching of Palo Alto Networks’ Expedition Tool Flaw
- Backdoor account found in 100K+ Zyxel Firewalls, VPN Gateways
Related news
About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in script. The need for authentication and admin access could limit this vulnerability’s impact, but here we […]
About Authentication Bypass – PAN-OS (CVE-2024-0012) vulnerability. An unauthenticated attacker with network access to the Palo Alto device web management interface could gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated vulnerabilities. Firewalls of the PA, VM, CN series and the Panorama management platform are vulnerable. The vendor […]
The security vendor's Expedition firewall appliance's PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading tit to advise customers to update immediately or and take them off the Internet.