Cybersecurity experts have discovered that approximately 2,000 Palo Alto Networks devices have been compromised in a widespread attack campaign exploiting recently identified security vulnerabilities.
The attacks, dubbed "Operation Lunar Peek," primarily target next-generation firewall (NGFW) management interfaces exposed to the internet. According to the Shadowserver Foundation's data, the United States leads with 554 infected devices, followed by India with 461 cases. Other affected countries include Thailand, Mexico, Indonesia, Turkey, the United Kingdom, Peru, and South Africa.
Security researchers at Censys identified over 13,000 publicly exposed NGFW management interfaces globally, with 34% located in the United States. However, not all exposed devices are necessarily vulnerable to these attacks.
The campaign exploits two critical security flaws: CVE-2024-0012, rated at 9.3 severity, and CVE-2024-9474, rated at 6.9 severity. These vulnerabilities allow attackers to bypass authentication and escalate privileges, potentially enabling them to modify device configurations and execute malicious code.
Attackers are actively using these vulnerabilities to deploy malware, including PHP-based web shells, on compromised firewalls. Palo Alto Networks warns that attack frequency may increase as exploit code combining both vulnerabilities becomes more widely available.
To protect against these threats, organizations using Palo Alto Networks devices should immediately:
- Apply the latest security patches
- Restrict management interface access to trusted internal IP addresses
- Remove external internet access to management interfaces
- Follow recommended deployment guidelines
The company reports observing both manual and automated scanning activities targeting these vulnerabilities, highlighting the urgency for users to implement security measures.