Threat actors have been taking advantage of the recently revealed zero-day vulnerability in Palo Alto Networks PAN-OS software since March 26, 2024, almost three weeks before it was made public yesterday.
Unit 42, the cybersecurity division of the company, is monitoring the incidents under the name Operation MidnightEclipse, assigning them to a single unidentified threat actor.
The security flaw, identified as CVE-2024-3400 (CVSS score: 10.0), is a command injection vulnerability that allows unauthorized attackers to run arbitrary code with root privileges on the firewall.
Notably, this vulnerability affects only PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled.
Operation MidnightEclipse involves exploiting the vulnerability to set up a cron job that runs every minute to fetch commands from an external server (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”), which are then executed using the bash shell.
The attackers have manually controlled an access control list (ACL) for the command-and-control (C2) server to restrict access only to the communicating device.
Although the exact content of the command is unknown, it’s believed that the URL acts as a mechanism to deliver a Python-based backdoor on the firewall, named UPSTYLE by Volexity. Volexity discovered in-the-wild exploitation of CVE-2024-3400 on April 10, 2024, and the backdoor is hosted on a separate server (“144.172.79[.]92” and “nhdata.s3-us-west-2.amazonaws[.]com”).
The Python file is designed to write and launch another Python script (“system.pth”), which then decodes and executes the embedded backdoor component responsible for executing the attacker’s commands in a file called “sslvpn_ngx_error.log.” The results are stored in a separate file named “bootstrap.min.css.”
Interestingly, both files used in the attack to process commands and save results are legitimate files associated with the firewall –
- /var/log/pan/sslvpn_ngx_error.log
- /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css
To write commands to the web server error log, the threat actor sends specially crafted network requests to a non-existent web page with a specific pattern. The backdoor then reads the log file, searching for lines that match a specific regular expression (“img[([a-zA-Z0-9+/=]+)]”) to decode and execute the commands.
“The script will then create another thread that runs a function called restore,” Unit 42 noted. “The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds, and writes the original contents back to the file and sets the access and modified times to their originals.”
The primary objective seems to be to avoid leaving traces of the command outputs by exfiltrating the results within 15 seconds before the file is overwritten.
Volexity, in its analysis, observed the threat actor exploiting the firewall remotely to create a reverse shell, download additional tools, pivot into internal networks, and exfiltrate data. The extent of the campaign is currently unknown. The actor has been identified as UTA0218 by Volexity.
“The attacker’s tradecraft and speed suggest a highly skilled threat actor with a clear plan of action to achieve their goals,” as stated by the American cybersecurity firm Volexity.
“UTA0218 initially targeted domain backup DPAPI keys and active directory credentials by obtaining the NTDS.DIT file. They also went after user workstations to steal saved cookies, login data, and users’ DPAPI keys.”
Organizations are advised to watch for signs of internal lateral movement from their Palo Alto Networks GlobalProtect firewall device.
This development has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by April 19 for mitigation. Palo Alto Networks is expected to release fixes for the flaw by April 14.
“Targeting edge devices continues to be a popular attack vector for skilled threat actors who invest in researching new vulnerabilities,” Volexity remarked.
“Likely, UTA0218 is a state-supported threat actor based on the resources needed to develop and exploit such a vulnerability, the nature of victims targeted, and the capabilities exhibited to install the Python backdoor and access victim networks.”