A newly discovered cyberattack campaign has compromised approximately 2,000 Palo Alto Networks devices by exploiting recently disclosed security vulnerabilities. These flaws tracked as CVE-2024-0012 (CVSS score: 9.3) and CVE-2024-9474 (CVSS score: 6.9), involve authentication bypass and privilege escalation, allowing attackers to alter configurations, execute arbitrary code, and install malicious software.
Data from the Shadowserver Foundation reveals that the highest number of affected devices are in the U.S. (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35).
Earlier research by Censys identified 13,324 publicly exposed next-generation firewall (NGFW) management interfaces globally, with 34% located in the U.S. However, not all exposed interfaces are necessarily vulnerable to these flaws.
Palo Alto Networks has named the ongoing exploitation "Operation Lunar Peek," indicating attackers are chaining the vulnerabilities to achieve command execution. Threat actors have been observed deploying PHP-based web shells on compromised firewalls to gain persistent access and control.
The company has also warned of an impending escalation in attacks, following the public availability of exploit tools combining CVE-2024-0012 and CVE-2024-9474. This development raises the stakes for organizations relying on Palo Alto Networks devices to secure their networks.
Palo Alto Networks urges its customers to take immediate action by:
1. Applying the latest security updates to patch the vulnerabilities.
2. Restricting access to management interfaces to trusted internal IP addresses only, preventing unauthorized access via the internet.
3. Following best practice deployment guidelines to safeguard devices from future threats.
While the Shadowserver Foundation's figures reflect exposed firewalls, Palo Alto Networks clarified that the actual number of infected devices is smaller. The company stated that less than 0.5% of its firewalls have internet-exposed interfaces, as most customers already follow best practices to secure their management interfaces.
As manual and automated scanning activities increase, the network security vendor stresses the need for vigilance. Organizations must remain proactive in securing their devices to minimize exposure and mitigate risks associated with these evolving threats.
