More than 2,000 Palo Alto Networks PAN-OS firewalls have been targeted following the disclosure and patching of two security vulnerabilities earlier this month—one of which is classified as critical. This was reported by the Shadowserver Foundation on 20 November.
Warnings Unheeded
Palo Alto Networks and its threat intelligence team, Unit 42, issued a security advisory regarding the active exploitation of the vulnerabilities, calling them a significant threat, as attackers could leverage them to compromise administrative privileges and deploy malicious payloads.
CVE-2024-0012, an authentication bypass flaw, allows an unauthenticated attacker with network access to the management interface to gain administrative control over PAN-OS devices. Once exploited, this vulnerability can be chained with CVE-2024-9474, a privilege escalation issue, enabling attackers to execute unauthorized administrative actions, tamper with configurations, and deploy malicious software.
Palo Alto Networks stressed that securing access to the management interface—restricting it to trusted internal IP addresses—is a critical mitigation step. Fixes for both vulnerabilities are available, and the company urged customers to apply these patches immediately.
Operation “Lunar Peek” and Active Exploitation
The exploitation campaign, dubbed “Operation Lunar Peek,” was initially detected targeting a small number of PAN-OS management web interfaces exposed to untrusted networks. Activity intensified after 19 November, when third-party researchers published technical insights and proof-of-concept artifacts, enabling broader threat activity.
Unit 42 has observed malicious actors employing both manual and automated techniques to exploit the vulnerabilities. Post-compromise activities include the deployment of web shells, interactive command execution, and the installation of malware such as crypto miners and open-source command-and-control (C2) tools.
Indicators of compromise (IOCs) identified by Unit 42 include obfuscated web shell payloads and the use of specific user-agent strings during exploitation attempts. A comprehensive list of IOCs is available on the Unit 42 Timely Threat Intel GitHub repository.
Mitigation and Customer Guidance
To mitigate risk, Palo Alto Networks recommends:
- Applying Security Patches: Update PAN-OS to the latest version to address CVE-2024-0012 and CVE-2024-9474.
- Securing Management Interfaces: Restrict access to trusted internal IP addresses, aligning with the company’s best practice deployment guidelines.
- Monitoring for Suspicious Activity: Investigate abnormal behavior on devices with exposed management interfaces.
Unit 42 also advises entities to remain vigilant for any post-compromise activity and to review network configurations to limit exposure.
Palo Alto Networks has shared its findings with members of the Cyber Threat Alliance (CTA), enabling rapid deployment of protective measures across the cybersecurity ecosystem. The company says it will continue to work with external researchers, partners, and customers to monitor and mitigate the evolving threat landscape.
What the Industry is Saying
Elad Luz, Head of Research at Oasis Security, says even before patching, affected customers should immediately restrict access to the web management interface, preferably allowing only internal IPs.
“The numbers reported by Shadowserver are very concerning, indicating that 7% of customers were compromised. With such a high ratio, it is essential not only to patch, but also to ensure that the device is free from any potential malware that may have been dropped or malicious configurations that may have been applied. We strongly recommend that users review their firewall configurations after applying the patch to ensure nothing has been altered.
Finally, Luz says users should check their audit logs for administrator activity to determine if a threat actor used the web interface for any malicious actions.
Assessing the Potential Damage
“Beyond patching, security teams must prioritize assessing the potential damage from compromised firewalls,” adds Patrick Tiquet, Vice President of Security & Architecture at Keeper Security. “This includes checking for unauthorized access, scanning for malware, and reviewing configurations to ensure no additional vulnerabilities were introduced during the attack.”
Organizations should also adopt a proactive approach to managing their attack surface, such as restricting access to management interfaces, implementing strong authentication and leveraging Privileged Access Management (PAM) solutions to protect administrative controls. “While patching is critical, ongoing vigilance and layered defenses are equally essential to minimize risks from similar threats in the future,” Tiquet explains.
Points to Consider
Mayuresh Dani, Manager, of Security Research at Qualys Threat Research Unit, says security teams should consider several points while approaching these CVEs. “Definitively patching all vulnerable PAN-OS devices is the first step. They should secure access to the management interface by restricting access only to trusted IP addresses, reducing the attack surface. Sift through their installations and make sure none of the IOCs exist on their system. If any of these exist, they should follow their organizational IR steps to remediate these devices.”
Teams should go through their installations, verifying that they have not been altered in any way and undoing those changes, Dani adds. “If this cannot be done, the last known good configuration update should be restored and verified to be working properly. Any virtual PAN-OS versions should be strictly checked for jump-to-host exploit conditions and upgraded or decommissioned accordingly.”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
