Hackers have been exploiting a brand-new flaw found in Palo Alto Networks PAN-OS software since March 26, 2024, almost three weeks before it was made public yesterday.

 

The network security company’s Unit 42 team is keeping tabs on this under the name Operation MidnightEclipse. They believe it’s the work of one unidentified threat actor.

 

This security hole, called CVE-2024-3400 (scored 10.0 out of 10 on the severity scale), allows attackers without authentication to run any code they want with the highest level of access on the firewall.

 

It’s important to note this only affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 setups with GlobalProtect gateway and device telemetry activated.

 

Operation MidnightEclipse involves using the flaw to set up a task that checks for commands every minute from a server outside (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”). These commands are then executed using the bash shell.

 

The attackers manually control who can access their command-and-control (C2) server by managing an access control list (ACL), making sure only the intended device can connect.

 

 

Though the exact commands are unknown, it’s believed the URL serves as a way to deliver a Python-based backdoor onto the firewall. Volexity, who found evidence of this being exploited on April 10, 2024, calls this backdoor UPSTYLE and hosts it on a different server (“144.172.79[.]92” and “nhdata.s3-us-west-2.amazonaws[.]com”).

 

The Python file is made to write and run another Python script (“system.pth”), which then decodes and activates the embedded backdoor component. This component carries out the attacker’s commands and stores the results in a file called “sslvpn_ngx_error.log,” with the outcomes written separately in a file named “bootstrap.min.css.”

 

What’s intriguing is that both files used are legitimate ones associated with the firewall:

 

/var/log/pan/sslvpn_ngx_error.log

 

/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css

 

To write the commands to the web server’s error log, the attacker sends specially crafted network requests to a non-existent web page with a specific pattern. The backdoor then reads the log file, searches for lines matching a particular pattern, and executes the commands found.

 

“The script will then create another thread that runs a function called restore,” Unit 42 said. 

 

“The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals.” 

 

The main goal appears to be to avoid leaving traces of the command outputs, necessitating that the results are exfiltrated within 15 seconds before the file is overwritten.

 

According to Volexity, they’ve seen the attacker remotely exploit the firewall to establish a reverse shell, get more tools, move around inside networks, and finally take data out. It’s unclear how widespread this is. The attacker has been given the name UTA0218.

 

“The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives,” the American cybersecurity firm said.

 

“UTA0218’s initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users’ DPAPI keys.”

 

Organizations should check for any signs of movement within their networks starting from their Palo Alto Networks GlobalProtect firewall device.

 

This development has pushed the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include this flaw in its Known Exploited Vulnerabilities (KEV) list, demanding that federal agencies patch it up by April 19 to stay safe. Palo Alto Networks is expected to release fixes by April 14.

 

“Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities,” Volexity said.

 

 

“It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.”.

 

Stay ahead of threats by leveraging a powerful GRC platform like CyberArrow GRC. With CyberArrow, you can effortlessly map controls and risks, ensuring compliance with global security standards. Put compliance on autopilot with automation, empowering your organization to proactively address security challenges. 

 

Take control of your security posture today with CyberArrow GRC.