State-Sponsored Hackers Exploit Palo Alto Networks Zero-Day Since March to Infiltrate Firewalls

April 13, 2024

Hackers suspected of being state-sponsored have been exploiting a zero-day vulnerability in Palo Alto Networks firewalls, identified as CVE-2024-3400, since March 26. They have used the compromised devices to break into internal networks and steal data and credentials. Palo Alto Networks alerted on the active exploitation of an unauthenticated remote code execution vulnerability in its PAN-OS firewall software, with patches expected to be available by April 14.

The company decided to disclose the flaw and provide mitigation measures to help customers protect their devices until patches were complete. Volexity, the cybersecurity firm that discovered the zero-day, provided further details on how the vulnerability has been exploited since March, with the hackers installing a custom backdoor to gain access to the target's internal network and steal data.

The malicious activity, tracked by Volexity under the name UTA0218, is believed to be conducted by state-sponsored threat actors. The firm detected the zero-day exploitation on April 10, 2024, in the GlobalProtect feature of Palo Alto Networks' PAN-OS and alerted the vendor. The following day, Volexity observed identical exploitation at another customer, creating a reverse shell back to the attacker's infrastructure and downloading further payloads onto the device.

Investigations revealed that the threat actors had been exploiting the CVE-2024-3400 zero-day since at least March 26 but did not deploy payloads until April 10. One of the payloads installed is a custom implant called 'Upstyle', designed specifically for PAN-OS to act as a backdoor and execute commands on compromised devices. This backdoor is installed via a Python script that creates a path configuration file.

The Upstyle backdoor monitors the web server's access logs to extract base64 commands for execution. The command output is then appended to a CSS file which is a legitimate part of the firewall. The commands to execute are base64-encoded and extracted from the logs using a regular expression.

In addition to the backdoor, the threat actors deployed additional payloads to start reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool named GOST. They also stole sensitive Windows files, Google Chrome and Microsoft Edge files containing saved credentials and authentication cookies.

Volexity outlined two methods to detect if a Palo Alto Networks firewall has been compromised. One method is still being developed in collaboration with Palo Alto Networks, while the other involves checking for specific patterns in the firewall's web server error log and CSS file.

Edge network devices, which are commonly exposed to the internet and do not typically support security solutions, have become prime targets for threat actors looking to steal data and gain initial access to a network. State-sponsored hacking campaigns have previously targeted Fortinet, SonicWall, Cisco, TP-Link, and Barracuda devices.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.