Since late March 2024, a threat actor dubbed UTA0218 has been leveraging a zero-day exploit of CVE-2024-3400.
Key Takeaways
The Campaign
Palo Alto Unit 42 dubbed the campaign Operation MidnightEclipse. Volexity noted the threat actors were able to remotely exploit a firewall, create a reverse shell, and download additional tools onto the victim device. The threat actor exported device configuration data and used it as an entry point for lateral movement in the victim organization.
The threat actors also attempted to install UPSTYLE, a custom backdoor. Volexity described UPSTYLE as a Python-based backdoor that allows the threat actor to execute commands on the compromised device using specially crafted network requests.
While little is known about the UTA0218 threat actor group, Volexity assesses the group to be sophisticated, bearing the hallmarks of a state sponsored operation.
What is CVE-2024-3400?
CVE-2024-3400 is a critical flaw affecting Palo Alto Networks PAN-OS software, which is used in GlobalProtect gateways. It is a command injection vulnerability that allows an unauthenticated threat actor to execute arbitrary code with root privileges on the firewall. The vulnerability only applies to firewalls with both GlobalProtect gateway and device telemetry configurations enabled. The vulnerability has a maximum severity CVSS score of 10.0.
Affected PAN-OS version include the following:
Palo Alto’s Threat Brief on the campaign stated the company is working on a fix for the vulnerability.
IOCs
PolySwarm has a sample associated with this activity.
3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
You can use the following CLI command to search for all related samples in our portal:
$ polyswarm link list -f Upstyle
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.