The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Operation MidnightEclipse Leverages CVE-2024-3400

Apr 19, 2024 12:54:33 PM / by The Hivemind

OPERATIONMIDNIGHTECLIPSERelated Families: UPSTYLE

Executive Summary

Since late March 2024, a threat actor dubbed UTA0218 has been leveraging a zero-day exploit of CVE-2024-3400.

Key Takeaways

  • Since late March 2024, a threat actor dubbed UTA0218 has been leveraging a zero-day exploit of CVE-2024-3400 in a campaign tracked as Operation MidnightEclipse.
  • CVE-2024-3400 is a critical flaw affecting Palo Alto Networks PAN-OS software, which is used in GlobalProtect gateways. 
  • UTA0218 appears to be a sophisticated threat actor group bearing the hallmarks of a state-sponsored operation. 

The Campaign 

Since late March 2024, a threat actor dubbed UTA0218 has been leveraging a zero-day exploit of CVE-2024-3400. Volexity initially discovered the campaign, and Palo Alto’s Unit 42 issued a Threat Brief on this activity. 

Palo Alto Unit 42 dubbed the campaign Operation MidnightEclipse. Volexity noted the threat actors were able to remotely exploit a firewall, create a reverse shell, and download additional tools onto the victim device. The threat actor exported device configuration data and used it as an entry point for lateral movement in the victim organization. 

The threat actors also attempted to install UPSTYLE, a custom backdoor. Volexity described UPSTYLE as a Python-based backdoor that allows the threat actor to execute commands on the compromised device using specially crafted network requests. 

While little is known about the UTA0218 threat actor group, Volexity assesses the group to be sophisticated, bearing the hallmarks of a state sponsored operation. 

What is CVE-2024-3400?

CVE-2024-3400 is a critical flaw affecting Palo Alto Networks PAN-OS software, which is used in GlobalProtect gateways. It is a command injection vulnerability that allows an unauthenticated threat actor to execute arbitrary code with root privileges on the firewall. The vulnerability only applies to firewalls with both GlobalProtect gateway and device telemetry configurations enabled. The vulnerability has a maximum severity CVSS score of 10.0.

 

Affected PAN-OS version include the following:

  • PAN-OS < 11.1.2-h3
  • PAN-OS < 11.0.4-h1
  • PAN-OS < 10.2.9-h1

 

Palo Alto’s Threat Brief on the campaign stated the company is working on a fix for the vulnerability. 

IOCs

PolySwarm has a sample associated with this activity.

 

3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f Upstyle

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, UPSTYLE, Operation MidnightEclipse, CVE-2024-3400

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts