A significant security incident has emerged affecting Palo Alto Networks devices, with approximately 2,000 systems reportedly compromised. The breach exploits two recently discovered vulnerabilities:
Key Vulnerability Details:
– CVE-2024-0012 (CVSS: 9.3) and CVE-2024-9474 (CVSS: 6.9)
– Allows authentication bypass and privilege escalation
– Enables malicious configuration changes and code execution
Geographic Impact:
– Primary affected regions:
* USA (554 cases)
* India (461 cases)
* Thailand (80 cases)
* Other affected countries include Mexico, Indonesia, Turkey, UK, Peru, and South Africa
Current Situation:
– Operation Lunar Peek identified as the initial exploitation campaign
– Attackers deploying web shells, Sliver malware, and cryptocurrency miners
– Exploitation attempts increased after POC release on November 19, 2024
Mitigation Steps:
1. Apply latest security patches immediately
2. Restrict management interface access to trusted internal IPs
3. Remove external internet access to management interfaces
Important Update:
Palo Alto Networks clarified that actual infections are lower than reported, with less than 0.5% of their firewalls having internet-exposed interfaces. The company is actively working with affected customers to resolve the situation.
This security incident emphasizes the importance of following security best practices and maintaining current patch levels for network security devices.