Operation Lunar Peek: More Than 2,000 Palo Alto Network Firewalls Hacked

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012 & CVE-2024-9474, enabling admin bypass and root access. Top targets: US & India.

Cybersecurity researchers at Shadowserver have revealed that approximately 2,000 Palo Alto Networks firewalls have been compromised. The breaches leverage two recently identified zero-day vulnerabilities in the company’s PAN-OS software. These vulnerabilities have been labeled as CVE-2024-0012 and CVE-2024-9474.

The Vulnerabilities

CVE-2024-0012: This vulnerability is an authentication bypass in the PAN-OS management web interface. It allows remote attackers to gain administrator privileges without authentication. This means attackers can tamper with firewall settings, making them more susceptible to further exploitation.

CVE-2024-9474: This flaw is a privilege escalation issue. Once exploited, it lets attackers execute commands with root privileges, giving them full control over the compromised firewall.

— The Shadowserver Foundation (@shadowserver.bsky.social) November 21, 2024 at 9:45 AM

Operation Lunar Peek – Ongoing Threat Activity

Palo Alto Networks has named the initial exploitation of these vulnerabilities “Operation Lunar Peek.” Palo Alto Networks initially warned customers on November 8 about restricting access to their next-generation firewalls due to an unspecified remote code execution flaw.

Since then, the company has observed a notable increase in threat activity following the public release of technical insights by third-party researchers on November 19, 2024.

Unit 42, Palo Alto Networks threat intelligence team, assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which could lead to broader threat activity.

The company is currently investigating the ongoing attacks, which involve chaining these two vulnerabilities to target a limited number of device management web interfaces. The company has observed threat actors dropping malware and executing commands on compromised firewalls, indicating that a chain exploit is likely already in use.

Recommendations for Users

Palo Alto Networks has provided several recommendations to mitigate the risk:

Monitor and Review: Users should monitor for any suspicious or abnormal activity on devices with a management web interface exposed to the internet. After applying the patch, it is crucial to review firewall configurations and audit logs for any signs of unauthorized administrator activity. Patch Immediately: Customers are advised to update their systems to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Detailed information about affected products and versions can be found in the Palo Alto Networks Security Advisories. Restrict Access: To reduce the risk, Palo Alto Networks recommends restricting access to the management web interface to only trusted internal IP addresses. This is in line with their recommended best practice deployment guidelines.

Expert Insights

Elad Luz, Head of Research at Oasis Security, emphasizes the importance of immediate action even before patching. He advises affected customers to restrict access to the web management interface, preferably allowing only internal IPs. Luz also stresses the need to ensure that devices are free from any potential malware or malicious configurations after patching.

RELATED TOPICS

Palo Alto Patches 0-Day Exploited by Python Backdoor Authentication bypass Flaw found in NATO approved firewall Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk CISA Urges Patching of Palo Alto Networks’ Expedition Tool Flaw Backdoor account found in 100K+ Zyxel Firewalls, VPN Gateways