CVE-2024-3400 exploited: Unit 42, Volexity share more details about the attacks

UPDATE: April 17, 05:50 AM ET

New story:
Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation

Earlier today, Palo Alto Networks revealed that a critical command injection vulnerability (CVE-2024-3400) in the company’s firewalls has been exploited in limited attacks and has urged customers with vulnerable devices to quickly implement mitigations and workarounds.

Palo Alto Networks’ Unit 42 and Volexity have now released threat briefs with more information about the attacks, threat hunting queries, YARA rules, and indicators of compromise.

PAN’s insights

“We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor. We also assess that additional threat actors may attempt exploitation in the future,” Unit 42 researchers noted.

They also explained how the backdoor the attackers installed on targeted devices works, persists, and hides its presence, and have shared threat hunting queries for customers of its Cortex XDR solution.

PAN has also updated its advisory to say that “while cloud NGFW firewalls are not impacted, specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are impacted.”

Volexity explains the extent of the attacks

Volexity threat researchers have also detailed the Python backdoor (dubbed UPSTYLE), which allows the attacker to execute additional commands on the device via specially crafted network requests. The attackers also created a reverse shell.

They first detected the attacks on April 10, at one of its network security monitoring (NSM) customers, then a second attack the day after at another customer.

“As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability,” they also found.

“On April 7, 2024, Volexity observed the attacker attempting and failing to deploy a backdoor on a customer’s firewall device. Three days later, on April 10, 2024, [the threat actor] was observed exploiting firewall devices to successfully deploy malicious payloads. A second compromise Volexity observed on April 11, 2024, followed a nearly identical playbook.”

After a successful exploitation, the attackers would download additional tools to facilitate their lateral movement across the victim organizations’ networks and the theft of credentials and files.

“In one case a service account configured for use by the Palo Alto firewall, and a member of the domain admins group, was used by the attackers to pivot internally across the affected networks via SMB and WinRM,” they added.

“[The threat actor]’s initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users’ DPAPI keys.”

PAN customers can check whether their devices have been compromised by analyzing network traffic emanating from them and searching for specific network requests (detailed in the blog post). A second method for detection is still under wraps.

“If you discover that your Palo Alto Network GlobalProtect firewall device is compromised, it is important to take immediate action. Make sure to not wipe or rebuild the appliance. Collecting logs, generating a tech support file, and preserving forensics artifacts (memory and disk) from the device are crucial,” they added.

(Even if you don’t find evidence of compromise, it’s a good idea to generate a tech support file before applying the hotfix, just in case.)

“Pivoting to analyzing internal systems and tracking potential lateral movement should be done as soon as possible. Further, any credentials, secrets, or other sensitive data that may have been stored on the GlobalProtect firewall device should be considered compromised. This may warrant password resets, changing of secrets, and additional investigations,” the threat analysts advised.

Volexity says that it’s highly likely the threat actor involved in the attacks is state-backed since considerable skills and resources are needed to discover and create an exploit for a vulnerability of this nature. The type of victims that have been targeted also point in that direction.

They expect the threat actor to ramp up their efforts to compromise firewalls of other intended victims in the coming days, to get ahead of mitigations and patches getting deployed, so acting quickly is of the essence.

UPDATE (April 15, 2024, 04:10 a.m. ET):

Some PAN-OS fixes are now available and others will be published in the coming days.