Operation Lunar Peek: A New Cyber Threat Targets Vulnerable PAN-OS Systems

Operation Lunar Peak Palo Alto Networks

An emerging cyberattack campaign has been identified and dubbed “Operation Lunar Peek,” affecting Palo Alto Networks’ PAN-OS software. Exploiting two critical PAN-OS vulnerabilities, the campaign has already had a significant impact, compromising over 2,000 devices worldwide. The vulnerabilities, CVE-2024-0012 and CVE-2024-9474, enable bad actors to gain administrator access and escalate privileges, having far-reaching implications for affected organizations. It is crucial to address and remediate these vulnerabilities quickly to protect against the widespread use of this attack.

The Vulnerabilities at the Core of the Campaign

The two zero-day PAN-OS vulnerabilities that make Operation Lunar Peek possible were both published in November 2024, and both are fixed in recent versions of the software. Initially published on November 8th, CVE-2024-0012 is an authentication bypass that enables administrative access to management interfaces. An unauthenticated user who has network access to the management web interface can exploit this vulnerability to gain administrator privileges, which allows them to carry out administrative actions and exploit further vulnerabilities.

The other vulnerability targeted in Operation Lunar Peek, CVE-2024-9474, is a privilege escalation flaw exploited in conjunction with the authentication bypass. It enables users with administrative privileges to use their access to perform actions on the firewall. Attackers are leveraging these two vulnerabilities in tandem to exfiltrate sensitive data and deploy malware on target devices.

Data from the Shadowserver Foundation, in collaboration with the Saudi National Cybersecurity Authority, shows over 2,000 compromised devices, or around 7% of customers. These targets are spread out across the globe, but there are particularly heavy concentrations in the U.S., with over 550 affected devices, and India, with over 450.

How the Attack Works

Operation Lunar Peek is a sophisticated attack that uses multiple steps and obfuscation to avoid detection. Once the attacker has obtained access to the management web interface, they can use CVE-2024-0012 and CVE-2024-9474 to gain administrative access and escalate their privileges beyond that point. They can then carry out further stages of the attack, including interactive command execution on the target device and deployment of web shells on the firewall to establish persistent access.

While the anatomy of the attack campaign is sophisticated, all of it stems from the initial access that bad actors are able to gain. Without access to exposed management interfaces, attackers would not be able to exploit vulnerabilities to escalate their privileges and perform the next harmful steps of the campaign.

Lessons from Operation Lunar Peek

Organizations can take a few lessons away from Operation Lunar Peek. First, this campaign highlights the importance of ensuring secure configurations of all settings. Even seemingly small misconfigurations can lead to significant damage, as is the case with the misconfiguration exposing management interfaces to untrusted networks.

For organizations that rely on firewall and network security tools to protect their systems and sensitive data, Operation Lunar Peek should emphasize the necessity of secure deployment and management of these tools. While tools like firewalls can be effective in blocking certain attacks, vulnerabilities in those tools can also be leveraged by bad actors to carry out other attacks.

“The immediate danger is that attackers exploiting these vulnerabilities can gain full control over affected firewalls, compromising the very systems designed to protect sensitive networks,” says Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. “For organizations relying on these firewalls, this could mean business disruption, loss of sensitive data, and exposure to regulatory and financial consequences.”

Mitigation Measures

To mitigate the risks of this attack, organizations must apply the patches to PAN-OS that Palo Alto Networks have released to fix the two vulnerabilities that make Operation Lunar Peek possible. Updating software to patch major vulnerabilities will ensure that attackers cannot use them to harm your organization.

It is also vital to restrict access to management interfaces for security tools like firewalls. The interface should only be able to be accessed by trusted internal IP addresses, preventing unauthorized external users from gaining even the initial access required to exploit the first vulnerability.

Organizations are also encouraged to follow best practices for securing PAN-OS systems. This includes making sure that the software is up to date to ensure prompt patching of vulnerabilities, reviewing and securely configuring settings and policies, blocking unknown applications and traffic, and enabling support for a variety of functions.

Recommendations for Organizations

In order to remediate the risks of potential compromise, organizations should conduct a security review of their firewall configurations, ensuring that they are set securely. They should also implement measures for continuous monitoring of devices with exposed interfaces, aiming to detect suspicious activity and risky behavior.

“Organizations should also adopt a proactive approach to managing their attack surface, such as restricting access to management interfaces, implementing strong authentication, and leveraging Privileged Access Management (PAM) solutions to protect administrative controls,” according to Tiquet. This highlights the necessity of prioritizing security as a core pillar of business operations rather than simply responding to threats when they arise.

Broader Implications for the Cybersecurity Landscape

Operation Lunar Peek is just one example demonstrating the way that bad actors are using new methods and technologies to evolve their attacks. Cybercriminals are always looking to develop more advanced tactics to outsmart their targets, evade security measures, and increase their payouts. The sophisticated anatomy of Operation Lunar Peek reflects this trend, serving as an example of the type of damage that attackers can do with advanced attacks.

This campaign also emphasizes the growing need for organizations to prioritize patch management and configuration hygiene. It highlights the fact that simple misconfigurations can have severe implications and that security tools are only as effective as their management. This speaks to the potential for similar campaigns targeting other enterprise-grade tools, as any solution could possibly have a zero-day vulnerability that leads to comparable or worse consequences.

Conclusion

Organizations looking to defend against pressing threats should use Operation Lunar Peek to push them to address a few fundamental aspects of security. The secure configuration and management of all software is just as crucial as selecting the right security tools, and organizations of all kinds should prioritize proactive security measures to remediate vulnerabilities and prevent attacks. It is essential to remain vigilant in an ever-changing threat landscape, following threat trends and reviewing security measures to ensure ongoing efficacy.

Additional Resources

Author
  • Contributing Writer, Security Buzz
    PJ Bradley is a writer from southeast Michigan with a Bachelor's degree in history from Oakland University. She has a background in school-age care and experience tutoring college history students.