Critical PAN-OS Vulnerability CVE-2024-3400 Exploited by UTA0218, Volexity Reports

The exploitation of the now-patched CVE-2024-3400 vulnerability in Palo Alto Networks' GlobalProtect firewall devices was reported by Volexity researchers on April 12, 2024. This command injection vulnerability rated a maximum CVSS score of 10, enables unauthenticated remote code execution on various versions of PAN-OS firewalls including PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. The exploitation enables attackers, specifically a group Volexity tracks as UTA0218, to execute arbitrary commands remotely on affected devices. This vulnerability was exploited by UTA0218 as early as March 26, 2024, with subsequent attempts to deploy malicious payloads following shortly after.

Post-exploitation observations by Volexity revealed the installation of a custom Python backdoor named UPSTYLE on compromised devices. This backdoor allows further malicious operations by facilitating command execution through specially crafted network requests. Volexity reports, "The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations." Proactive measures by the attackers included setting up cron jobs to download and execute additional tools and establishing reverse shells for sustained access. "They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion. The tradecraft and speed employed by the attacker suggest a highly capable threat actor with a clear playbook of what to access to further their objectives."

In one noted intrusion, UTA0218 successfully pivoted within the compromised internal network, employing techniques such as command executions and leveraging SMB and WinRM to target internal network components. This included extracting the ntds.dit file and querying Windows event logs for remote sessions, demonstrating the group's intent to secure long-term access and extract high-value information.

Volexity's report and their collaboration with Palo Alto Networks have prompted a strong recommendation for affected customers to implement the released hotfixes to mitigate this critical vulnerability. While Volexity's report did not definitively attribute the activity to any particular group, researchers from VulnDB have suggested potential associations with BianLian/Lazarus, who may also be exploiting CVE-2024-3400.