Threat actors have been exploiting a recently disclosed vulnerability in Palo Alto Network’s PAN-OS software as a zero-day to deploy a Python backdoor since at least March 2024.

Tracked as CVE-2024-3400, the issue is a command injection flaw in the GlobalProtect feature, which may enable a remote attacker execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

The vulnerability was discovered by a cybersecurity firm Volexity while investigating suspicious traffic emanating from its customers’ firewalls. Upon closer examination, the company found that a threat actor, tracked as UTA0218, attempted to install a custom Python backdoor named “Upstyle”, on the compromised firewall device. The backdoor allows the attacker to execute additional commands on the device via specially crafted network requests.

In the observed cases, the attackers downloaded additional tooling from remote servers to gain access to the victims’ internal networks. The threat actor then stole sensitive credentials and other files that would enable access during and potentially after the intrusion.

“The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives. Volexity is not currently able to provide an estimate as to the scale of exploitation taking place. It is likely the firewall device exploitation, followed by hands-on-keyboard activity, was limited and targeted,” the company said.

Palo Alto has published additional technical details on the campaign, which it tracks as ‘Operation MidnightEclipse.’

Last May, US-based email and network security solutions provider Barracuda Networks revealed that China-linked threat actors had been exploiting a zero-day vulnerability (CVE-2023-2868) in its Email Security Gateway (ESG) appliances for nearly eight months to backdoor devices. In December, the same hacker group was observed exploiting another zero-day vulnerability (CVE-2023-7102) in Barracuda’s ESG appliances to deploy new variants of Seaspy and Saltwater malware.