On April 10, 2024, Volexity announced the identification of a zero-day exploit targeting a critical vulnerability in Palo Alto Networks’ GlobalProtect, a feature of its PAN-OS. This discovery was made during their routine network security monitoring, where alerts indicated suspicious traffic from one of their client's firewalls. A deeper investigation revealed that the firewall had been compromised.
The following day, on April 11, similar exploitation was detected at another customer site, executed by the same threat actor known as UTA0218. "We confirmed that the actor was able to remotely exploit the firewall device and establish a reverse shell, allowing the download of additional tools," said a member of the Volexity threat research team, highlighting the severity of the breach.
"We confirmed that the actor was able to remotely exploit the firewall device and establish a reverse shell, allowing the download of additional tools,"
Evidence gathered indicated that the attacker targeted configuration data from the compromised devices to facilitate lateral movement within the affected organizations. Volexity worked in close collaboration with Palo Alto Networks' Product Security Incident Response Team (PSIRT) to pinpoint the root cause of the security concern.
Race Results
Through this joint effort, the PSIRT team clarified that this vulnerability results from an OS command injection flaw, officially cataloged as CVE-2024-3400. It received a CVSS base score of 10.0, signifying a critical threat level. "It's vital for organizations to understand the implications of this vulnerability and act swiftly to mitigate risks," emphasized a Palo Alto Networks spokesperson.
"It's vital for organizations to understand the implications of this vulnerability and act swiftly to mitigate risks,"
During Volexity's audit, it was noted that UTA0218 aimed to implement a custom Python backdoor, nicknamed UPSTYLE, onto the firewall. This malicious software could execute further commands on the device through precisely designed network requests. "These types of backdoors are particularly dangerous as they allow attackers persistent access to compromised systems," the Volexity report emphasized.
"These types of backdoors are particularly dangerous as they allow attackers persistent access to compromised systems,"
Widening the scope of their investigation, Volexity uncovered instances of successful exploitation dating as far back as March 26, 2024. Initial actions taken by UTA0218 involved placing zero-byte files onto firewall devices, presumably to confirm the vulnerability before executing full-scale attacks. "Our data shows that this was a testing phase for the threat actor, trying to figure out the best approach," remarked a security analyst at Volexity.
"Our data shows that this was a testing phase for the threat actor, trying to figure out the best approach,"
By the Numbers
On April 7, 2024, Volexity recorded an unsuccessful attempt by the actor to deploy a backdoor on a customer firewall. However, within a few days, they successfully exploited the devices for malicious payloads on April 10 and followed similar tactics on April 11. This systematic approach revealed a clear pattern of operational methodology, marking a further escalation in their activity.
Given the critical nature of CVE-2024-3400, organizations utilizing GlobalProtect are urged to remain vigilant and apply available security updates promptly. As the cybersecurity landscape evolves, having proactive threat assessments and robust incident response plans in place becomes increasingly essential. Effectively countering sophisticated threats like those posed by UTA0218 will require continuous monitoring and updated security measures.
