CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Palo Alto Patches Firewall Zero-Day Exploited in Operation Lunar Peek

Palo Alto Networks has released patches and CVEs for the firewall zero-days exploited in what the company calls Operation Lunar Peek.

Palo Alto firewall zero-day

Palo Alto Networks on Monday released patches and assigned CVE identifiers for the firewall zero-days that have been exploited in what the company is tracking as Operation Lunar Peek.

The security firm reported learning about a potential zero-day in early November — possibly after seeing a sales offer on a cybercrime forum — and confirmed in-the-wild exploitation of a new vulnerability on November 15. 

On Monday, the cybersecurity giant informed customers that two PAN-OS vulnerabilities have been exploited in these attacks, which targeted “a limited number of management web interfaces that are exposed to internet traffic coming from outside the network”.

One of the zero-days is CVE-2024-0012, a critical authentication bypass flaw that allows an unauthenticated attacker who has access to the PAN-OS management interface to gain admin privileges.

An attacker can “perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474”.

CVE-2024-9474 is the second zero-day apparently spotted in the same attacks. This security hole has been described as a medium-severity privilege escalation issue that allows an attacker who has admin permissions to gain root privileges on the firewall.

The vulnerabilities have been patched with the release of updates for PAN-OS 11.2, 11.1, 11.0, 10.2 and 10.1. Ensuring that the firewall’s management interface is only accessible from trusted internal IP addresses significantly lowers the risk of exploitation. 

The Shadowserver Foundation on Monday reported seeing over 6,600 IPs associated with internet-exposed PAN-OS interfaces, down from 11,000 IPs one week ago. 

Advertisement. Scroll to continue reading.

Palo Alto is tracking the activity as Operation Lunar Peek, but it has not shared any information on the threat actor behind the attacks. It has, however, shared indicators of compromise (IoCs), including IP addresses and a hash associated with a PHP webshell payload dropped on hacked firewalls.

“This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” the cybersecurity firm noted.

The cybersecurity agency CISA has added CVE-2024-0012 and CVE-2024-9474 to its Known Exploited Vulnerabilities (KEV) catalog, urging government organizations to address the flaws by December 9.

Related: Thousands of Palo Alto Firewalls Potentially Impacted by Exploited Vulnerability

Related: State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls

Related: Palo Alto Networks Patches Unauthenticated Command Execution Flaw in Cortex XSOAR

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.