15 April 2024

Palo Alto PAN-OS zero-day vulnerability exploited to deploy a Python backdoor


Palo Alto PAN-OS zero-day vulnerability exploited to deploy a Python backdoor

Threat actors have been exploiting a recently disclosed vulnerability in Palo Alto Network’s PAN-OS software as a zero-day to deploy a Python backdoor since at least March 2024.

Tracked as CVE-2024-3400, the issue is a command injection flaw in the GlobalProtect feature, which may enable a remote attacker execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

The vulnerability was discovered by a cybersecurity firm Volexity while investigating suspicious traffic emanating from its customers’ firewalls. Upon closer examination, the company found that a threat actor, tracked as UTA0218, attempted to install a custom Python backdoor named “Upstyle”, on the compromised firewall device. The backdoor allows the attacker to execute additional commands on the device via specially crafted network requests.

In the observed cases, the attackers downloaded additional tooling from remote servers to gain access to the victims’ internal networks. The threat actor then stole sensitive credentials and other files that would enable access during and potentially after the intrusion.

“The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives. Volexity is not currently able to provide an estimate as to the scale of exploitation taking place. It is likely the firewall device exploitation, followed by hands-on-keyboard activity, was limited and targeted,” the company said.

Palo Alto has published additional technical details on the campaign, which it tracks as ‘Operation MidnightEclipse.’

Last May, US-based email and network security solutions provider Barracuda Networks revealed that China-linked threat actors had been exploiting a zero-day vulnerability (CVE-2023-2868) in its Email Security Gateway (ESG) appliances for nearly eight months to backdoor devices. In December, the same hacker group was observed exploiting another zero-day vulnerability (CVE-2023-7102) in Barracuda’s ESG appliances to deploy new variants of Seaspy and Saltwater malware.

Back to the list

Latest Posts

ICC investigates cyberattacks in Ukraine as possible war crimes

ICC investigates cyberattacks in Ukraine as possible war crimes

The probe is focused on cyberattacks that endangered lives by disrupting essential services.
17 June 2024
Alleged Scattered Spider leader arrested in Spain

Alleged Scattered Spider leader arrested in Spain

The suspect is believed to be a key player in the MGM ransomware attack.
17 June 2024
Scattered Spider hackers switch focus to cloud apps for data theft

Scattered Spider hackers switch focus to cloud apps for data theft

Mandiant has observed UNC3944 accessing platforms like vSphere and Azure via SSO applications to create new virtual machines.
17 June 2024