cyber securityThe company's Unit 42 division named the activity Operation MidnightEclipse and attributed it to an unknown threat actor.
The number of this security vulnerability is CVE-2024-3400(CVSS score: 10.0), is a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
It is important to note that this issue only applies to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled.
Operation Midnight Eclipse exploits this vulnerability to create a cron job that runs once per minute to obtain information from a cron job hosted on an external server ("172.233.228[...]" or "172.233.228[...]"). 93/policy" or "172.233.228[.] 93/patch") and then executes those commands using the bash shell.
The attacker allegedly manually managed the access control list (ACL) of the command and control (C2) server to ensure that only devices communicating with it could access it.
While the exact nature of the command is unknown, it is suspected that the URL is a delivery vehicle for a Python-based backdoor on the firewall, which Volexity (which discovered the CVE-2024-3400 exploit in the wild on April 10, 2024) traces to UPSTYLE and is hosted on a different server ("144.172 .79[.] 92" and "nhdata.s3-us-west-2.amazonaws[.] com").
The Python file is designed to write and launch another Python script ("system.pth"), which then decodes and runs the embedded backdoor component responsible for executing the threat actor's commands in a file named "sslvpn_ngx_error.log The script then decodes and runs the embedded backdoor component, which is responsible for executing the threat actor's commands in a file named "sslvpn_ngx_error.log". The results are written to a separate file named "bootstrap.min.css".
The most interesting aspect of the attack chain is that both files used to extract commands and write results are legitimate files associated with the firewall:
/var/log/pan/sslvpn_ngx_error.log
/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css
As for how the commands are written to the Web server error logs, the threat actor spoofs a specially crafted Web request to a non-existent Web page that contains a specific pattern. The backdoor program then parses the log file and searches for lines matching the same regular expression ("img\[([a-zA-Z0-9+/=]+)\]") to decode and run the commands within.
Unit 42 says, "The script then creates another thread that runs a function called restore. restore takes the original contents of the bootstrap.min.css file and the original access and modification times, sleeps for 15 seconds, writes the original contents back to the file, and sets the access and modification times to the original time."
The main goal seems to be to avoid leaving traces of the command output, so the results need to be leaked within 15 seconds before the file is overwritten.
In its analysis, Volexity said it observed threat actors remotely exploiting firewalls to create reverse shells, download other tools, gain access to internal networks, and ultimately compromise data. The exact scale of the campaign is not yet known. The company has named the adversary UTA0218.
The cybersecurity firm said, "The techniques and speed employed by the attacker suggests an extremely capable threat actor with a clear plan of action and knowledge of how to access information to achieve their goals."
"The initial goal of UTA0218 was to obtain domain backup DPAPI keys and attack Active Directory credentials by obtaining NTDS.DIT files. They further attacked user workstations to steal saved cookies and login data, as well as the user's DPAPI key."
It is recommended that organizations look for signs of lateral movement within their Palo Alto Networks GlobalProtect Firewall appliances.
Vulnerability POC or EXP reference:
https://hackertop.com/Thread-palo-alto-networks-zero-day-vulnerability-exploit
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/palo-alto-networks-zero-day-vulnerability-exploited.html
