If you haven’t already, you should immediately secure access to the management web interface of the Palo Alto Networks (PAN) firewalls. The security company repeated this advice four times in a single document, as hackers leap into action following the disclosure of vulnerabilities.
Palo Alto is observing “a notable increase in threat activity following the public release of technical insights and artifacts by third-party researchers beginning on Nov. 19th, 2024.”
Earlier this month, a zero-day was discovered affecting PAN firewalls with management interfaces exposed to the internet.
Already functioning exploits are publicly available and even broader threat activity should be anticipated.
The Shadowserver Foundation, a cyber threat intelligence platform, has found at least 2,000 instances of compromised PAN devices as of November 20th. The scans also revealed at least 2,700 devices vulnerable to the recently disclosed flaws.
We have started to report Palo Alto Networks devices still vulnerable to CVE-2024-0012 in our Vulnerable HTTP reports (filtered by network/constituency of recipient): shadowserver.org/what-we-do/n... ~2700 found vulnerable on 2024-11-20: dashboard.shadowserver.org/statistics/c... Top: US & India
undefined The Shadowserver Foundation (@shadowserver.bsky.social) November 21, 2024 at 11:17 AM
[image or embed]
PAN said the vulnerabilities affect “a limited number” of devices.
Fixes for both the flaws, labeled CVE-2024-0012 and CVE-2024-9474, are already available. They enable attackers to access PAN-OS devices’ management interface remotely and perform actions with root privileges.
“The risk of these issues is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses,” PAN repeated four times in the article.
The malicious campaign affecting PAN firewalls is dubbed Operation Lunar Peek. Initial attacks primarily originated from a few IP addresses proxying traffic for anonymous VPN services.
Since then, the list of indicators has expanded significantly. PAN shared dozens of observed IPs and other indicators of compromise on GitHub.
Hackers, once they gain initial access, execute interactive commands and drop malware, such as web shells.
The company is actively monitoring the situation and working with customers.
Your email address will not be published. Required fields are markedmarked