Threat actors exploited the recently discovered zero-day flaw in Palo Alto Networks’ PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday.
The network security company’s Unit 42 division is monitoring activity under this name Operation MidnightEclipseattributing it as the work of a single threat actor of unknown origin.
The security vulnerability, tracked as CVE-2024-3400 (CVSS Score: 10.0), is a command injection flaw that allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall.
It is worth noting that the issue is only applicable to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled.
Operation MidnightEclipse involves exploiting the flaw to create a cron job that runs every minute to retrieve commands hosted on an external server (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”), which are then executed using the bash shell.
The attackers are said to have manually maintained an access control list (ACL) for the command and control (C2) server to ensure that it can only be accessed by the device communicating with it.
While the exact nature of the command is unknown, the URL is suspected to serve as a delivery vehicle for a Python-based backdoor on the firewall that Volexity, which discovered the exploitation in the wild of CVE-2024-3400 on April 10, 2024 – is tracked as UPSTYLE and is hosted on a different server (“144.172.79[.]92” and “nhdata.s3-us-west-2.amazonaws[.]com”).
The Python file is designed to write and launch another Python script (“system.pth”), which subsequently decodes and executes the built-in backdoor component responsible for executing the threat actor’s commands in a file called “sslvpn_ngx_error.log” . The results of the operation are written to a separate file called “bootstrap.min.css”.
The most interesting aspect of the attack chain is that both files used to extract the commands and write the results are legitimate files associated with the firewall –
- /var/log/pan/sslvpn_ngx_error.log
- /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css
As for how commands are written to the web server’s error log, the threat actor forges specially crafted network requests to a non-existent web page containing a specific template. The backdoor then parses the log file and looks for the line that matches the same regular expression (“img\[([a-zA-Z0-9+/=]+)\]”) to decode and execute the command inside it.
“The script will then create another thread that executes a function called restore,” said Unit 42. “The restore function takes the original contents of the bootstrap.min.css file, as well as the original access and modification times , sleeps for 15 seconds and rewrites the original contents to the file and sets the access and modification times to the original values.”
The main goal appears to be to avoid leaving traces of the command’s outputs, making it necessary for the results to be exfiltrated within 15 seconds before the file is overwritten.
Volexity, in its analysis, said it observed the threat actor remotely exploit the firewall to create a reverse shell, download additional tools, rotate into internal networks, and ultimately exfiltrate data. The exact scope of the campaign is currently unclear. The opponent was given the nickname UTA0218 by the company.
“The cunning and speed employed by the attacker suggests that he is a highly capable actor with a clear agenda of what to access to achieve his goals,” the American cybersecurity firm said.
“UTA0218’s initial objectives were to capture domain backup DPAPI keys and target Active Directory credentials by obtaining the NTDS.DIT file. They also targeted users’ workstations to steal saved cookies and login data, along with the users’ DPAPI keys.”
Organizations are advised to look for signs of lateral movement internally from their Palo Alto Networks GlobalProtect firewall appliance.
The development also prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its catalog of known exploited vulnerabilities (KEVs), requiring federal agencies to apply patches by April 19 to mitigate potential threats. Palo Alto Networks is expected to release fixes for the flaw by April 14.
“Targeting edge devices remains a popular attack vector for capable threat actors who have the time and resources to invest in finding new vulnerabilities,” Volexity said.
“UTA0218 is highly likely to be a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and access further to the victim. networks.”