Diwali festive offer'2023 1-3 year new creates of 2nd level and 3rd level .IN/.भारत domains.
20 November 2023 to 19 December 2023

Contact Info

Kolkata,West Bnegal ,India



Get Started
Recommended Services
Supported Scripts

🔒 Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack 🔒

Threat actors have exploited the recently disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, almost three weeks before its disclosure yesterday.

The network security company’s Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of unknown provenance.

The security vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), is a command injection flaw enabling unauthenticated attackers to execute arbitrary code with root privileges on the firewall.

This issue affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled.

Operation MidnightEclipse involves exploiting the flaw to create a cron job that runs every minute to fetch commands hosted on an external server (“172.233.228[.]93/policy” or “172.233.228[.]93/patch”), which are then executed using the bash shell.

The attackers manually manage an access control list (ACL) for the command-and-control (C2) server to ensure access only from the communicating device. While the exact nature of the command is unknown, it’s suspected to deliver a Python-based backdoor, named UPSTYLE by Volexity, hosted on a different server (“144.172.79[.]92” and “nhdata.s3-us-west-2.amazonaws[.]com”).

The Python file writes and launches another Python script (“system.pth”), decoding and running the embedded backdoor component responsible for executing the threat actor’s commands in a file called “sslvpn_ngx_error.log,” with results written to “bootstrap.min.css.”

Both files used in the attack chain are legitimate files associated with the firewall:

  • /var/log/pan/sslvpn_ngx_error.log
  • /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css

Commands are written to the web server error log by forging specially crafted network requests to a non-existent web page containing a specific pattern. The backdoor parses the log file and searches for a line matching a regular expression (“img[([a-zA-Z0-9+/=]+)]”) to decode and run the command within it.

Unit 42 notes, “The script will then create another thread that runs a function called restore,” which restores the original content of “bootstrap.min.css” after 15 seconds to avoid leaving traces of the command outputs.

Volexity observed the threat actor remotely exploiting the firewall to create a reverse shell, download additional tools, pivot into internal networks, and exfiltrate data. The scale of the campaign is presently unclear, but the adversary has been assigned the moniker UTA0218 by the company.

Organizations are advised to monitor signs of lateral movement internally from their Palo Alto Networks GlobalProtect firewall device.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by April 19 to mitigate potential threats. Palo Alto Networks is expected to release fixes for the flaw no later than April 14.

“Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest in researching new vulnerabilities,” Volexity stated.

“It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.”

Leave a Reply

Your email address will not be published. Required fields are marked *