Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012

Executive Summary

Palo Alto Networks and Unit 42 are engaged in tracking a limited set of exploitation activity related to CVE-2024-0012 and are working with external researchers, partners, and customers to share information transparently and rapidly.

Fixes for CVE-2024-0012 are available. Please refer to the Palo Alto Networks Security Advisory for additional details.

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

Risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.

Palo Alto Networks has actively monitored and worked with customers to identify and further minimize the very small number of PAN-OS devices with management web interfaces exposed to the Internet or other untrusted networks.

CVE-2024-0012 is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Palo Alto Networks has identified threat activity potentially exploiting this vulnerability against a limited number of management web interfaces. The Current Scope of the Attack section includes more information about the observed activity. Relevant indicators and surrounding context are available in the Indicators of Compromise section.

We are tracking the initial exploitation of this vulnerability under the name Operation Lunar Peek.

If you haven’t already, Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the Internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.

Please refer to the Palo Alto Networks Security Advisory for up-to-date information about affected products and versions, as well as more guidance about remediating CVE-2024-0012.

For assistance related to a potential compromise, please reach out to Palo Alto Networks support. Unit 42 retainer customers can reach out to Unit 42 directly.

Details of the Vulnerability

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

Risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.

CVE-2024-0012 is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Current Scope of the Attack

Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces. This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.

Palo Alto Networks is still actively investigating and remediating this activity. Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.

A list of IPs and surrounding context are available in Indicators of Compromise.

Remediation Guidance

Palo Alto Networks recommends that customers update to receive the latest patches that fix CVE-2024-0012. Please refer to the Palo Alto Networks Security Advisory for up-to-date information about affected products and versions.

If you haven’t already, Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the Internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.

Conclusion

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Palo Alto Networks customers are protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections for CVE-2024-0012

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

For assistance related to a potential compromise, please reach out to Palo Alto Networks support. Unit 42 retainer customers can reach out to the Unit 42 Incident Response team or call:

• North America Toll-Free: 866.486.4842 (866.4.UNIT42)
• EMEA: +31.20.299.3130
• APAC: +65.6983.8730
• Japan: +81.50.1790.0200

Indicators of Compromise

Command and Control Infrastructure

Post-Exploitation Payloads

Unit 42 will update these values as additional information is available and sharable.

Additional Resources

• CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) – Palo Alto Networks Security Advisories
• CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface – Palo Alto Networks Security Advisories