Summary:
Palo Alto Networks and Unit 42 are monitoring exploitation activities related to CVE-2024-0012, an authentication bypass vulnerability in PAN-OS. The vulnerability allows unauthenticated attackers to gain administrative access to affected systems. Recommendations include restricting access to management interfaces and applying available patches.
Keypoints:
- Palo Alto Networks is tracking exploitation activities related to CVE-2024-0012.
- The vulnerability allows unauthenticated attackers to gain administrator privileges on PAN-OS.
- Fixes for CVE-2024-0012 are available in the Palo Alto Networks Security Advisory.
- Risk can be mitigated by restricting access to management web interfaces to trusted internal IP addresses.
- The vulnerability affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2.
- Cloud NGFW and Prisma Access are not impacted by this vulnerability.
- Threat activity has been identified targeting management web interfaces, primarily from IPs associated with anonymous VPN services.
- Post-exploitation activities include command execution and malware deployment.
- Palo Alto Networks recommends updating to the latest patches and securing management interfaces.
- Unit 42 customers can reach out for assistance regarding potential compromises.
MITRE Techniques
- Exploitation for Client Execution (T1203): Exploits vulnerabilities in software to execute code on the target system.
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Credential Dumping (T1003): Acquires credentials from operating systems and software.
- Remote File Copy (T1105): Transfers files from an external system to a compromised system.
- Web Shell (T1505): Deploys a web shell to maintain access to the compromised system.
IoC:
- [IP Address] 91.208.197[.]167
- [IP Address] 136.144.17[.]146
- [IP Address] 136.144.17[.]149
- [IP Address] 136.144.17[.]154
- [IP Address] 136.144.17[.]161
- [IP Address] 136.144.17[.]164
- [IP Address] 136.144.17[.]166
- [IP Address] 136.144.17[.]167
- [IP Address] 136.144.17[.]170
- [IP Address] 136.144.17[.]176
- [IP Address] 136.144.17[.]177
- [IP Address] 136.144.17[.]178
- [IP Address] 136.144.17[.]180
- [IP Address] 173.239.218[.]251
- [IP Address] 209.200.246[.]173
- [IP Address] 209.200.246[.]184
- [IP Address] 216.73.162[.]69
- [IP Address] 216.73.162[.]71
- [IP Address] 216.73.162[.]73
- [IP Address] 216.73.162[.]74
- [File Hash] 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668
Full Research: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/