Threat Research

Threat Brief: Operation Lunar Peek and CVE-2024-0012 Activity Overview

Unit42

Summary:

Palo Alto Networks and Unit 42 are monitoring exploitation activities related to CVE-2024-0012, an authentication bypass vulnerability in PAN-OS. The vulnerability allows unauthenticated attackers to gain administrative access to affected systems. Recommendations include restricting access to management interfaces and applying available patches.

Keypoints:

  • Palo Alto Networks is tracking exploitation activities related to CVE-2024-0012.
  • The vulnerability allows unauthenticated attackers to gain administrator privileges on PAN-OS.
  • Fixes for CVE-2024-0012 are available in the Palo Alto Networks Security Advisory.
  • Risk can be mitigated by restricting access to management web interfaces to trusted internal IP addresses.
  • The vulnerability affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2.
  • Cloud NGFW and Prisma Access are not impacted by this vulnerability.
  • Threat activity has been identified targeting management web interfaces, primarily from IPs associated with anonymous VPN services.
  • Post-exploitation activities include command execution and malware deployment.
  • Palo Alto Networks recommends updating to the latest patches and securing management interfaces.
  • Unit 42 customers can reach out for assistance regarding potential compromises.

    • MITRE Techniques

  • Exploitation for Client Execution (T1203): Exploits vulnerabilities in software to execute code on the target system.
  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Credential Dumping (T1003): Acquires credentials from operating systems and software.
  • Remote File Copy (T1105): Transfers files from an external system to a compromised system.
  • Web Shell (T1505): Deploys a web shell to maintain access to the compromised system.

    • IoC:

  • [IP Address] 91.208.197[.]167
  • [IP Address] 136.144.17[.]146
  • [IP Address] 136.144.17[.]149
  • [IP Address] 136.144.17[.]154
  • [IP Address] 136.144.17[.]161
  • [IP Address] 136.144.17[.]164
  • [IP Address] 136.144.17[.]166
  • [IP Address] 136.144.17[.]167
  • [IP Address] 136.144.17[.]170
  • [IP Address] 136.144.17[.]176
  • [IP Address] 136.144.17[.]177
  • [IP Address] 136.144.17[.]178
  • [IP Address] 136.144.17[.]180
  • [IP Address] 173.239.218[.]251
  • [IP Address] 209.200.246[.]173
  • [IP Address] 209.200.246[.]184
  • [IP Address] 216.73.162[.]69
  • [IP Address] 216.73.162[.]71
  • [IP Address] 216.73.162[.]73
  • [IP Address] 216.73.162[.]74
  • [File Hash] 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

    • Full Research: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

    Tags: VULNERABILITY, CREDENTIAL, CVE, CLOUD, full, VPN