As many as 2,000 Palo Alto Networks devices is evaluated was compromised as part of a campaign to exploit recently discovered security flaws that were widely exploited in the wild.
According to statistics In association with the Shadowserver Foundation, the majority of infections were reported in the US (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the United Kingdom (39), Peru ( 36) and South Africa (35).
Earlier this week Censys revealed that it identified 13,324 open next-generation firewall (NGFW) management interfaces, of which 34% are in the US. However, it is important to note that not all of these open hosts are vulnerable.
The flaws in questionCVE-2024-0012 (CVSS Score: 9.3) and CVE-2024-9474 (CVSS Score: 6.9) are a combination of authentication bypass and elevation of privilege that could allow an attacker to perform malicious actions, including modifying configurations and executing arbitrary code.
Palo Alto Networks, which is tracking the initial exploitation of the flaws, called Operation Lunar Peek, said they are using the weapon to execute commands and drop malware, such as PHP-based web shells, onto breached firewalls.
The network security vendor also warned that cyber-attacks targeting security flaws could increase after an exploit that combines them emerges.
To that end it is said it “estimates with moderate to high confidence that the functional exploit associated with CVE-2024-0012 and CVE-2024-9474 is in the public domain, which would allow broader threat action.”
In addition, he noted that both manual and automatic scans are observed, requiring users to apply the latest patches as soon as possible and ensure access to the management interface according to recommended deployment guidelines.
This includes, in particular, restricting access to only trusted internal IP addresses to prevent external access from the Internet.
