Recently brought to public attention, malevolent entities have been taking advantage of an unveiled software flaw in Palo Alto Networks PAN-OS system since March 26, 2024, almost three weeks before its revelation on the preceding day.
Tracking this activity under the designation Operation MidnightEclipse, Palo Alto Networks’ Unit 42 division attributes it to a solitary perpetrator of undisclosed origin.
The identified security loophole, marked as CVE-2024-3400 with a CVSS score of 10.0, manifests as a command insertion glitch, granting unauthorized entities the ability to execute arbitrary commands with elevated privileges on the firewall.
It’s imperative to note that this issue solely impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall setups featuring GlobalProtect gateway and device telemetry configurations.
Operation MidnightEclipse entails exploiting this loophole to institute a cron task set to execute every minute, fetching directives hosted on an external server (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”), subsequently implemented via the bash shell.
Reports suggest that the perpetrators manually administered an access control list (ACL) for the command-and-control (C2) server, restricting access solely to the device in communication.
While the exact functionality of the directive remains undisclosed, suspicions arise regarding the URL serving as a conduit for a Python-oriented trapdoor on the firewall, christened UPSTYLE by Volexity, which detected live exploitation of CVE-2024-3400 on April 10, 2024, hosted on a disparate server (“144.172.79[.]92” and “nhdata.s3-us-west-2.amazonaws[.]com”).
The Python script is devised to script and launch another Python module (“system.pth”), subsequently deciphering and executing the embedded trapdoor constituent, responsible for implementing the perpetrator’s directives in a document named “sslvpn_ngx_error.log.” The operation’s outcomes are chronicled in a separate file named “bootstrap.min.css.”
The most intriguing aspect of the attack mechanism is the utilization of legitimate files associated with the firewall for both executing directives and chronicling results:
/var/log/pan/sslvpn_ngx_error.log /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css
Regarding how directives are inscribed in the web server error log, the perpetrator crafts specifically structured network requests to a non-existent web page featuring a distinct pattern. Subsequently, the trapdoor scrutinizes the log document, seeking a line aligning with a specific regular expression (“img([�−��−�0−9+/=]+)“) to decipher and execute the embedded directive.
“The script will then spawn another thread executing a function dubbed ‘restore,'” as Unit 42 elucidated. “The restore function incorporates the original content of the bootstrap.min.css file, alongside the initial access and modification timestamps, pausing for 15 seconds before restoring the original contents to the file and reinstating the access and modification timestamps to their original values.”
The primary objective appears to be obfuscating traces of directive outputs, necessitating exfiltration of outcomes within 15 seconds before the file undergoes rewriting.
Volexity, in its independent analysis, observed the malevolent entity remotely leveraging the firewall to establish a reverse connection, download supplementary tools, pivot into internal networks, and ultimately exfiltrate data. The exact scope of the campaign remains ambiguous. The entity has been dubbed UTA0218 by the organization.
“The tactics and expediency exhibited by the perpetrator imply a highly proficient threat entity with a well-defined strategy aimed at furthering their agenda,” asserted the American cybersecurity entity.
“UTA0218’s initial objectives revolved around acquiring domain backup DPAPI keys and targeting active directory credentials by acquiring the NTDS.DIT file. Subsequently, they targeted user workstations to pilfer saved cookies and login credentials, alongside user DPAPI keys.”
Organizations are advised to scrutinize internal signs of lateral movement originating from their Palo Alto Networks GlobalProtect firewall apparatus.
This development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to incorporate the flaw into its Known Exploited Vulnerabilities (KEV) repository, mandating federal agencies to implement patches by April 19 to mitigate potential threats. Palo Alto Networks is expected to deploy fixes for the flaw no later than April 14.
“Targeting perimeter devices remains a favored vector of attack for adept threat entities investing time and resources into researching novel vulnerabilities,” Volexity emphasized.
“It’s highly probable that UTA0218 is a state-affiliated threat entity, considering the resources required to exploit a vulnerability of this nature, the profile of victims targeted, and the demonstrated capabilities in deploying the Python trapdoor and infiltrating victim networks.”