Focus Mode
Threat Research

German CERT Warns ‘Attacks are Happening,’ Urges PAN-OS Chained Vulnerabilities’ Patching

Cyble

Summary:

The German CERT has issued a critical warning regarding the exploitation of two vulnerabilities in Palo Alto Networks’ PAN-OS, urging immediate patching to prevent unauthorized access and command execution. These vulnerabilities, CVE-2024-0012 and CVE-2024-9474, pose significant risks to organizations worldwide. The urgency for remediation is heightened as active attacks are already underway.
#PaloAlto #VulnerabilityAlert #OperationLunarPeek

Keypoints:

  • German CERT warns of active exploitation of vulnerabilities in PAN-OS.
  • CVE-2024-0012 allows unauthenticated access to management interfaces.
  • CVE-2024-9474 enables privilege escalation for authenticated users.
  • Both vulnerabilities can be chained for remote command execution.
  • Palo Alto Networks has released patches for affected versions.
  • Organizations are urged to secure management interfaces and monitor for suspicious activity.
  • Active exploitation observed under the banner “Operation Lunar Peek.”
  • Detection rules for webshells and abnormal activities are recommended.

    • MITRE Techniques

  • Exploitation for Client Execution (T1203): Exploits vulnerabilities in software to execute arbitrary code.
  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Privilege Escalation (T1068): Exploits vulnerabilities to gain elevated access to resources.
  • Remote File Copy (T1105): Transfers files from a remote location to a compromised system.

    • IoC:

  • [IP Address] 41.215.28[.]241
  • [IP Address] 45.32.110[.]123
  • [IP Address] 103.112.106[.]17
  • [IP Address] 104.28.240[.]123
  • [IP Address] 182.78.17[.]137
  • [IP Address] 216.73.160[.]186
  • [IP Address] 91.208.197[.]167
  • [IP Address] 104.28.208[.]123
  • [IP Address] 136.144.17[.]146
  • [IP Address] 136.144.17[.]149
  • [IP Address] 136.144.17[.]154
  • [IP Address] 136.144.17[.]158
  • [IP Address] 136.144.17[.]161
  • [IP Address] 136.144.17[.]164
  • [IP Address] 136.144.17[.]166
  • [IP Address] 136.144.17[.]167
  • [IP Address] 136.144.17[.]170
  • [IP Address] 136.144.17[.]176
  • [IP Address] 136.144.17[.]177
  • [IP Address] 136.144.17[.]178
  • [IP Address] 136.144.17[.]180
  • [IP Address] 173.239.218[.]248
  • [IP Address] 173.239.218[.]251
  • [IP Address] 209.200.246[.]173
  • [IP Address] 209.200.246[.]184
  • [IP Address] 216.73.162[.]69
  • [IP Address] 216.73.162[.]71
  • [IP Address] 216.73.162[.]73
  • [IP Address] 216.73.162[.]74
  • [File Hash] 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

    • Full Research: https://cyble.com/blog/german-cert-warns-attacks-are-happening/

    Tags: LATERAL MOVEMENT, PATCH, INITIAL ACCESS, CLOUD, MONITOR, FIREWALL, EXPLOIT, PAYLOAD