A major vulnerability is being exploited in Palo Alto via Python’s zero-day backdoor
For weeks, unidentified threat actors have been exploiting a critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software, executing arbitrary code on vulnerable firewalls with root privileges.
Multiple security researchers have highlighted the campaign, including Palo Alto Networks’ own Unit 42, noting that a single group of threat actors has been exploiting a vulnerability called command injection since March 26, 2024.
This vulnerability is now tracked as CVE-2024-3400 and has a maximum severity score (10.0). The campaign, called MidnightEclipse, targeted PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled, as these are the only vulnerable endpoints.
Very capable threat actor
The attackers used the vulnerability to place a Python-based backdoor on the firewall that Volexity, a separate threat actor that observed the campaign in the wild, called UPSTYLE. While the motives behind the campaign are subject to speculation, researchers believe the endgame here is to extract sensitive data. The researchers do not know exactly how many victims there are and who the attackers mainly target. The threat actors have been provisionally named UTA0218.
“The attacker’s skill and speed indicate a highly capable threat actor with a clear playbook of what he needs to access to achieve his objectives,” the researchers said. “The original objectives of UTA0218 focused on obtaining the domain’s DPAPI backup keys and targeting active directory references by obtaining the NTDS.DIT file. They further targeted user workstations to retrieve stored cookies and credentials along with the users’ DPAPI keys.”
In his writing, The hacker news reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies an April 19 deadline to apply the patch and otherwise mitigate the threat .
“Targeting edge devices remains a popular attack vector for capable threat actors who have the time and resources to invest in investigating new vulnerabilities,” Volexity said.
“It is highly likely that UTA0218 is a state-sponsored threat actor, based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities shown to install the Python backdoor and further contact the victim. networks.”