Over 2,000 Palo Alto Networks firewalls have been compromised in a widespread attack exploiting recently patched vulnerabilities.
The attack, which began in mid-November 2024, has raised alarm bells across the cybersecurity community and highlighted the critical importance of prompt patching and secure configuration practices.
The attackers exploited two key vulnerabilities in Palo Alto Networks’ PAN-OS software:
- CVE-2024-0012: A critical authentication bypass flaw with a severity rating of 9.3 out of 10.0.
- CVE-2024-9474: A medium-severity privilege escalation vulnerability rated 6.9 out of 10.0.
When chained together, these vulnerabilities allow unauthenticated attackers to gain root access to affected devices, potentially compromising entire networks.
Download the Forrester TEI Study now and sign up for guidance to maximize cybersecurity ROI.
Dubbed “Operation Lunar Peek” by Palo Alto Networks’ Unit 42 research team, the attack campaign has been ongoing since early November. Threat actors have been observed dropping malware and executing commands on compromised firewalls, indicating the likely availability of a public exploit chain.
Shadowserver, a threat monitoring platform, reported tracking over 2,700 vulnerable PAN-OS devices, with approximately 2,000 confirmed as compromised.
However, Palo Alto Networks has suggested that the actual number of affected devices may be lower, stating that less than half a percent of their deployed firewalls have internet-exposed management interfaces.
The vulnerabilities affect various Palo Alto Networks products running PAN-OS, including:
- Next-generation firewalls
- Panorama appliances (firewall management)
- WildFire appliances (sandbox systems for file analysis)
Palo Alto Networks has issued patches for the vulnerabilities and strongly advises customers to secure their firewalls’ management interfaces by restricting access to trusted internal IP addresses.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch their firewalls by December 9, 2024.
This incident underscores the critical nature of network security devices and the potential for widespread impact when such devices are compromised. It also highlights the ongoing challenge of securing internet-exposed management interfaces, which continue to be attractive targets for cybercriminals.
As the situation develops, cybersecurity experts urge organizations to remain vigilant, implement recommended security measures, and ensure their Palo Alto Networks devices are promptly updated to the latest patched versions.
Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free