Palo Alto Firewalls Compromised by Alleged Chinese Hackers

A suspected cyber espionage effort traced back to a Chinese hacking group is exploiting a recently discovered flaw in Palo Alto Networks firewalls. This vulnerability has been leveraged to implant a malware backdoor, raising significant concerns for organizations using the affected systems.

The malware, identified as a variant of Littlelamb.Wooltea by researchers at cybersecurity firm Northwave, has been previously linked to the threat actor group known as UNC5325. This campaign was initiated in November, shortly after Palo Alto disclosed a medium-severity privilege escalation vulnerability categorized as CVE-2024-9474 in its PAN-OS software. This flaw allows attackers to execute commands with root privileges on the firewall, a critical component for a company’s network security.

Following the flaw’s disclosure, threat actors were quick to act, using it to download a malicious file named bwmupdate, which installs the malware disguised as a logd file. Northwave’s analysis indicates that this variant can execute up to 30 different commands, providing extensive capabilities, including file manipulation and the establishment of covert network connections.

Within its operational framework, the malware can create a network tunnel to listen for outbound connections while facilitating shell connections and setting up a SOCKS5 proxy to manage multiple listening ports comprehensively. Such capabilities suggest that the attackers are employing advanced tactics for persistence and privilege escalation as outlined in the MITRE ATT&CK framework.

The malware operates through multiple nodes designed for overseeing network communications, encompassing functions such as tracking lost connections and managing network handshakes. Moreover, in addition to the backdoor, attackers exploiting this vulnerability have deployed additional malicious payloads aimed at retrieving data from external servers.

Palo Alto has acknowledged that in addition to CVE-2024-9474, a second vulnerability, tracked as CVE-2024-0012, was also exploited in these attacks. However, the company has since released patches addressing both issues. They have urged system administrators to restrict access to their web management interfaces to trusted IP addresses only, noting that the attacks have predominantly affected a limited number of PAN-OS devices, with estimates suggesting the number could be in the thousands.

The activities of UNC5325 illustrate the persistent threat posed by state-sponsored groups targeting edge devices within corporate networks. Mandiant has classified UNC5325 as a China-affiliated threat actor involved in similar campaigns, including a notable hack utilizing a zero-day vulnerability in Ivanti Connect Secure VPN solutions.

In conclusion, these developments underscore the necessity for business owners to remain vigilant regarding potential cyber threats, particularly those posed by state-sponsored actors targeting network security devices. With the landscape of cybersecurity continuously evolving, adherence to best practices in security hygiene and patch management is more crucial than ever.