Risk actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software program courting again to March 26, 2024, almost three weeks earlier than it got here to gentle yesterday.
The community safety firm’s Unit 42 division is monitoring the exercise beneath the identify Operation MidnightEclipse, attributing it because the work of a single risk actor of unknown provenance.
The safety vulnerability, tracked as CVE-2024-3400 (CVSS rating: 10.0), is a command injection flaw that allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall.
It is price noting that the problem is relevant solely to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations which have GlobalProtect gateway and machine telemetry enabled.
Operation MidnightEclipse entails the exploitation of the flaw to create a cron job that runs each minute to fetch instructions hosted on an exterior server (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”), that are then executed utilizing the bash shell.
The attackers are mentioned to have manually managed an entry management record (ACL) for the command-and-control (C2) server to make sure that it may well solely be accessed from the machine speaking with it.
Whereas the precise nature of the command is unknown, it is suspected that the URL serves as a supply automobile for a Python-based backdoor on the firewall that Volexity – which found in-the-wild exploitation of CVE-2024-3400 on April 10, 2024 – is monitoring as UPSTYLE and is hosted on a special server (“144.172.79[.]92” and “nhdata.s3-us-west-2.amazonaws[.]com”).
The Python file is designed to jot down and launch one other Python script (“system.pth”), which subsequently decodes and runs the embedded backdoor element that is liable for executing the risk actor’s instructions in a file known as “sslvpn_ngx_error.log.” The outcomes of the operation are written to a separate file named “bootstrap.min.css.”
Essentially the most fascinating side of the assault chain is that each the recordsdata used to extract the instructions and write the outcomes are reliable recordsdata related to the firewall –
- /var/log/pan/sslvpn_ngx_error.log
- /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css
As for the way the instructions are written to the online server error log, the risk actor forges specifically crafted community requests to a non-existent internet web page containing a particular sample. The backdoor then parses the log file and searches for the road matching the identical common expression (“img[([a-zA-Z0-9+/=]+)]”) to decode and run the command inside it.
“The script will then create another thread that runs a function called restore,” Unit 42 mentioned. “The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals.”
The principle aim seems to be to keep away from leaving traces of the command outputs, necessitating that the outcomes are exfiltrated inside 15 seconds earlier than the file is overwritten.
Volexity, in its personal evaluation, mentioned it noticed the risk actor remotely exploiting the firewall to create a reverse shell, obtain extra tooling, pivot into inner networks, and finally exfiltrate knowledge. The precise scale of the marketing campaign is presently unclear. The adversary has been assigned the moniker UTA0218 by the corporate.
“The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives,” the American cybersecurity agency mentioned.
“UTA0218’s initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users’ DPAPI keys.”
Organizations are really helpful to search for indicators of lateral motion internally from their Palo Alto Networks GlobalProtect firewall machine.
The event has additionally prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to add the flaw to its Identified Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the patches by April 19 to mitigate potential threats. Palo Alto Networks is anticipated to launch fixes for the flaw no later than April 14.
“Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities,” Volexity mentioned.
“It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.”
