Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls

A state-sponsored threat actor has been exploiting a zero-day in Palo Alto Networks firewalls for the past two weeks.

Palo Alto Networks

A threat actor has successfully exploited a zero-day in Palo Alto Networks firewalls for more than two weeks, malware hunters at Volexity warn.

Palo Alto Networks disclosed the vulnerability on Friday, warning that it was aware of limited in-the-wild exploitation and promising patches within the next two days.

Tracked as CVE-2024-3400 (CVSS score of 10/10), the security defect is described as a command injection issue allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.

According to the vendor, all appliances running PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateway and device telemetry enabled are vulnerable. Other PAN-OS versions, cloud firewalls, Panorama appliances, and Prisma Access are not affected.

“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor,” the company says in a blog post.

Volexity has attributed the CVE-2024-3400 exploitation to a state-sponsored threat actor it tracks as ‘UTA0218’, which appears to be highly capable “with a clear playbook of what to access to further their objectives”.

“Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks,” the cybersecurity firm notes.

The company is currently unable to link the activity to previously known threat actors or operations. 

Advertisement. Scroll to continue reading.

It is unclear how widespread the exploitation might have been, but Volexity says it has “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems”.

Since March 26, the cybersecurity firm says, UTA0218 has been successfully exploiting the zero-day against multiple organizations. In two instances, the attackers also injected a Python-based backdoor called Upstyle and used it to execute additional commands.

“After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims’ internal networks. They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion,” Volexity explains.

The threat actor was seen creating a cron job on the firewall to persistently fetch a file from a remote server and execute its contents. The attackers were seen manually managing an access control list for the command-and-control (C&C) server, to ensure that it can only be accessed from the device communicating with it.

UTA0218 was also observed deploying a reverse shell written in Python and an open source SSH reverse shell, downloading reverse proxy tooling such as GOST (GO Simple Tunnel), and exfiltrating configuration data from the compromised firewalls.

In one attack, the threat actor used a highly privileged service account from the Palo Alto Networks firewall to move laterally via SMB and WinRM. UTA0218 then stole the Active Directory database, key data, Windows event logs, login information, cookies, and browser data, and was able to decrypt stored credentials.

“UTA0218 was not observed deploying malware or additional methods of persistence on systems within victim networks. The stolen data did allow the attacker to effectively compromise credentials for all domain accounts. Further, the attacker gained access and could potentially use valid credentials or cookies taken from browser data for specific user workstations accessed,” Volexity explains.

Patches for CVE-2024-3400 are expected to arrive by April 14. In the meantime, organizations are advised to disable device telemetry on their firewalls, and apply other mitigation recommendations that Palo Alto Networks detailed in its advisory.

Organizations that believe they were compromised via this zero-day are advised to collect logs, create a tech support file, and preserve forensic artifacts. They should also hunt for potential lateral movement and should consider all sensitive data on the firewall to be compromised.

Both Palo Alto Networks and Volexity warn that exploitation of CVE-2024-3400 is likely to spike over the next few days, both by UTA0218 and other threat actors, mainly driven by the imminent availability of patches.

Related: Palo Alto Networks Warns of Exploited Firewall Vulnerability

Related: Pixel Phone Zero-Days Exploited by Forensic Firms

Related: CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks

Related: Recent Fortinet FortiClient EMS Vulnerability Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.