Researchers from Shadowserver have revealed that approximately 2,000 Palo Alto Networks firewalls have been compromised leavaraging recently discovered zeroday bugs. namely CVE-2024-0012 and CVE-2024-9474.
This initial exploitation of the vulnerabilities has been named as “Operation Lunar Peek.” Palo Alto Networks initially warned customers on November 8 about restricting access to their next-generation firewalls due to an unspecified remote code execution flaw.
PaloAlto has observed a notable increase in threat activity following the public release of technical insights by third-party researchers on November 19, 2024.
Unit 42, Palo Alto Networks threat intelligence team, assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which could lead to broader threat activity.
The ongoing attacks are currently investigated and involve chaining these two vulnerabilities to target a limited number of device management web interfaces. Threat actors dropping malware and executing commands on compromised firewalls, indicating that a chain exploit is likely already in use.
Organizations are advised to refer the security advisories for remediation guidance.
Indicators of Compromise
- 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668
