Vulnerabilities

Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012

Clock Icon 4 min read
Related Products

Executive Summary

Palo Alto Networks and Unit 42 are engaged in tracking a limited set of exploitation activity related to CVE-2024-0012 and are working with external researchers, partners, and customers to share information transparently and rapidly.

Fixes for CVE-2024-0012 are available. Please refer to the Palo Alto Networks Security Advisory for additional details.

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

Risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.

Palo Alto Networks has actively monitored and worked with customers to identify and further minimize the very small number of PAN-OS devices with management web interfaces exposed to the Internet or other untrusted networks.

CVE-2024-0012 is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Palo Alto Networks has identified threat activity potentially exploiting this vulnerability against a limited number of management web interfaces. The Current Scope of the Attack section includes more information about the observed activity. Relevant indicators and surrounding context are available in the Indicators of Compromise section.

We are tracking the initial exploitation of this vulnerability under the name Operation Lunar Peek.

If you haven’t already, Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the Internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.

Please refer to the Palo Alto Networks Security Advisory for up-to-date information about affected products and versions, as well as more guidance about remediating CVE-2024-0012.

For assistance related to a potential compromise, please reach out to Palo Alto Networks support. Unit 42 retainer customers can reach out to Unit 42 directly.

Vulnerabilities Discussed CVE-2024-0012, CVE-2024-9474

Details of the Vulnerability

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

Risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.

CVE-2024-0012 is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Current Scope of the Attack

Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces. This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.

Palo Alto Networks is still actively investigating and remediating this activity. Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.

A list of IPs and surrounding context are available in Indicators of Compromise.

Remediation Guidance

Palo Alto Networks recommends that customers update to receive the latest patches that fix CVE-2024-0012. Please refer to the Palo Alto Networks Security Advisory for up-to-date information about affected products and versions.

If you haven’t already, Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the Internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.

Conclusion

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Palo Alto Networks customers are protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections for CVE-2024-0012

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

For assistance related to a potential compromise, please reach out to Palo Alto Networks support. Unit 42 retainer customers can reach out to the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Indicators of Compromise

Command and Control Infrastructure

Threat Actor IP Context
91.208.197[.]167 Threat actor IPs identified attempting to scan and/or connect to management web interfaces in order to exploit CVE-2024-0012 

Many of these IPs have been known to proxy / tunnel traffic for anonymous VPN services, which may include legitimate user activity originating from these IPs to other destinations

136.144.17[.]146
136.144.17[.]149
136.144.17[.]154
136.144.17[.]161
136.144.17[.]164
136.144.17[.]166
136.144.17[.]167
136.144.17[.]170
136.144.17[.]176
136.144.17[.]177
136.144.17[.]178
136.144.17[.]180
173.239.218[.]251
209.200.246[.]173
209.200.246[.]184
216.73.162[.]69
216.73.162[.]71
216.73.162[.]73
216.73.162[.]74

Post-Exploitation Payloads

SHA256 Context
3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668 PHP webshell payload dropped on a compromised firewall

Unit 42 will update these values as additional information is available and sharable.

Additional Resources

Enlarged Image