Likely State Hackers Exploiting Palo Alto Firewall Zero-Day
Company Released a Hotfix to the Command Injection VulnerabilityFirewall appliance manufacturer Palo Alto Networks rushed out a hotfix Sunday to a command injection vulnerability present in its custom operating system after security researchers spotted a campaign to exploit the zero-day starting in March, likely from a state-backed threat actor.*
See Also: Simplified Disaster Recovery with Pure Protect //DRaaS
The flaw, tracked as CVE-2024-3400 carries the maximum CVSS score of 10. Palo Alto warned that an attacker could use it to "execute arbitrary code with root privileges on the firewall." The issue effects on-premises PAN-OS 10.2, 11.0, and 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal with device telemetry enabled.
Threat intelligence firm Volexity uncovered the zero-day exploit and said a threat actor it tracks as UTA0218 began exploiting it on March 26. Volexity pegs the attack to a government based on the resources required to discover the zero-day and exploit it, the type of victims targeted, and the sophistication of a Python-coded backdoor the threat actors installed to further access victim networks.
A proof-of-concept exploit for the flaw is now available on GitHub and because of it, the U.S. Cybersecurity and Infrastructure Security Agency has added the bug to its catalog of known exploited vulnerabilities. CISA has directed all federal agencies to secure their firewall appliances by Friday.
Well-resourced cybercrime gangs and nation-state hackers have been on an appliance-hacking spree that has swept up devices from industry heavyweights including SonicWall, Fortinet, Barracuda, F5 and Cisco. Customers of VPN maker Ivanti spent the first months of this year applying emergency patches after likely Chinese nation-state hackers in December began exploiting a zero-day (see: Hackers Compromised Ivanti Devices Used by CISA).
Threat intel researchers have warned that appliances will continue to be targets so long as manufacturers exclude devices from endpoint scanning or make it difficult for administrators to detect runtime modifications or conduct forensic investigations (see: Ivanti Uses End-of-Life Operating Systems, Software Packages).
Palo Alto Networks said it is aware of malicious exploitation of this issue and is tracking it as Operation MidnightEclipse.
Volexity said zero-day exploitation appears limited and targeted, but "evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems does appear to have occurred at the time of writing."
The cybersecurity firm said the hackers capitalized on the vulnerability to infiltrate firewalls and installed a custom backdoor that it dubbed "Upstyle" for establishing persistent access and executing commands remotely. Hackers concealed the backdoor in the firewall's Python configuration files. The backdoor also facilitates deployment of additional payloads.
Volexity uncovered evidence of the attackers pivoting to internal networks following the breaches. The threat actors targeted sensitive Windows files, including the Active Directory database and browser data from Google Chrome and Microsoft Edge.
Cybersecurity companies including Volexity, CrowdStrike and Microsoft have devised detection methods aimed at identifying compromised Palo Alto Networks firewalls.
*Correction April 16, 2024 15:35 UTC: A previous version misidentified the day Palo Alto Networks released hotfixes. It was on Sunday.