November 21, 2024 at 11:20AM
Palo Alto Networks reported a drop in internet-exposed firewalls, yet around 2,000 devices remain compromised due to critical vulnerabilities CVE-2024-0012 and CVE-2024-9474. Patches were released in mid-November following confirmed exploitation, with attacks primarily affecting devices in the U.S. and India. Key security recommendations include limiting access to trusted IPs.
**Meeting Takeaways:**
1. **Current Threat Landscape:**
– There has been a significant decrease in the number of internet-exposed Palo Alto Networks firewalls, dropping from 11,000 on November 10 to approximately 2,700 by November 20. However, the Shadowserver Foundation reported around 2,000 compromised devices, mostly located in the United States and India.
2. **Vulnerabilities Identified:**
– **CVE-2024-0012**: A critical authentication bypass vulnerability that allows unauthorized access to a firewall’s management interface, enabling administrator privileges for attackers.
– **CVE-2024-9474**: A medium-severity vulnerability that allows attackers to gain root privileges on the firewall. Both vulnerabilities can be chained together in attacks.
3. **Exploitation Timeline:**
– Palo Alto Networks confirmed a potential PAN-OS zero-day in early November, with in-the-wild exploitation acknowledged by November 15. Patches for affected firewalls were released on November 18.
4. **Affected Products:**
– Vulnerabilities affect PAN-OS versions 11.2, 11.1, 11.0, 10.2, and 10.1, as well as PA, VM, CN series firewalls, and Panorama (virtual and M series) products.
5. **Recommended Security Measures:**
– Limit access to the firewall’s management interface to trusted internal IP addresses to mitigate risk.
6. **Attack Activity:**
– Arctic Wolf has reported attacks against customer environments starting November 19. Successful exploits have resulted in attempts to transfer tools and exfiltrate configuration files from compromised devices.
7. **Response from Palo Alto Networks:**
– Palo Alto Networks is monitoring the situation under “Operation Lunar Peek” and has shared indicators of compromise (IoCs) to help organizations detect potential attacks. No information about the attackers has been disclosed yet.
8. **Public Disclosure and Concerns:**
– Technical details and proof-of-concept (PoC) code have been released by WatchTowr, which Arctic Wolf believes could escalate further attacks.
9. **Media Outreach:**
– Efforts have been made to contact Palo Alto Networks for comments on the Shadowserver data, but no response has been received at this time.