More attacks target recently patched critical flaw in Palo Alto Networks firewalls
Attackers have exploited the flaw since late March
After its initial discovery, Volexity was able to create a detection signature and went back through its customer telemetry to find past compromises. The earliest exploitation signs the company managed to find dated from March 26, but those incidents looked like attempts by UTA0218 to test the exploit without deploying a malicious payload, whereas by April 10, the threat actor had begun deploying a custom backdoor written in Python and dubbed UPSTYLE.
“After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims’ internal networks,” the Volexity researchers said in their report.
“They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion. The tradecraft and speed employed by the attacker suggest a highly capable threat actor with a clear playbook of what to access to further their objectives.”
Proof-of-concept exploit released
On April 16, researchers from security firm WatchTowr Labs managed to reconstruct the vulnerability by reverse engineering the PAN-OS code and published a technical write-up along with a proof-of-concept exploit in the form of an HTTP request with the payload injected into the cookie value.
The following day, GreyNoise, a company that monitors malicious traffic on the internet through a series of global sensors, reported a spike in the number of IP addresses attempting to exploit CVE-2024-3400. Palo Alto Networks has also updated its advisory to warn customers that it’s aware of an increasing number of attacks leveraging the vulnerability and that proof-of-concept exploit code is now publicly available.
The company has also released commands that PAN-OS users can execute on their devices in order to identify if there was an exploitation attempt, while the company’s threat research unit published indicators of compromise in a blog post analyzing the UPSTYLE backdoor.
