CVE-2024-3400 Vulnerability Hinges on Command Injection Flaw
Cyber attackers have been taking advantage of a recently revealed vulnerability in Palo Alto Networks PAN-OS software since March 26, 2024, almost three weeks before it was publicly disclosed. This activity, identified by Palo Alto Networks' Unit 42 division as Operation MidnightEclipse, is attributed to a single unidentified threat actor.
The security flaw, known as CVE-2024-3400 with a severity score of 10.0, allows unauthorized attackers to run arbitrary code with root privileges on affected firewalls. Notably, this vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 configurations with GlobalProtect gateway and device telemetry enabled.
Operation MidnightEclipse involves exploiting this flaw to set up a recurring task that fetches commands from an external server and executes them using the bash shell. The attackers meticulously manage an access control list for the command-and-control server to restrict access only to the communicating device.
Python Backdoor Suspected as Part of Attack
Although the specific commands remain undisclosed, it is suspected that a Python-based backdoor, tracked as UPSTYLE by Volexity, is delivered via a URL hosted on a separate server. This backdoor, upon execution, writes and runs another Python script responsible for executing the attacker's commands, with results logged in legitimate firewall files.
A notable aspect of this attack is the use of authentic firewall files for command extraction and result writing. The commands are written to the firewall's error log through crafted network requests to a non-existent web page, triggering specific patterns that the backdoor then decodes and executes.
To conceal traces of command outputs, a function called "restore" is invoked to revert the bootstrap.min.css file to its original state after 15 seconds, erasing evidence of the commands. Volexity observed the threat actor exploiting the firewall to establish a reverse shell, download tools, penetrate internal networks, and exfiltrate data, though the extent of the campaign remains uncertain. The adversary is identified as UTA0218 by Volexity.