Critical Vulnerability (CVE-2024-3400) Impacting Palo Alto Networks PAN-OS Software Exploited in Limited Attacks

By Deepwatch Adversary Tactics and Intelligence

Estimated Reading Time: 2 minutes

Updated 4/18 to include the latest observed post-exploitation activity and mitigation advice

What You Need to Know

Deepwatch has seen widespread exploitation attempts of the critical Remote Code Execution (RCE) vulnerability CVE-2024-3400. This RCE vulnerability holds the highest CVSS severity score of 10.0, indicating a potential for significant impact. 

CVE-2024-3400 impacts PAN-OS versions 11.1, 11.0, and 10.2, with GlobalProtect gateway and device telemetry configurations enabled. 

Palo Alto released hotfixes for 11.1.2-h3, 11.0.4-h1, and 10.2.9-h1 on 14 April 2024.

As detailed by Volexity, the threat actor remotely exploited the firewall device, created a reverse shell, and downloaded further tools onto the device. The actor’s objective focused on exporting device configuration data and leveraging compromised devices to move laterally within victim organizations. Volexity also observed that the threat actor attempted to install a custom Python backdoor, UPSTYLE, on the firewall. The UPSTYLE backdoor allows the threat actor to execute additional commands on the device via specially crafted network requests. 

After successfully exploiting devices, the threat actor downloaded additional tooling from remote servers they controlled to facilitate persistent access to victims’ internal networks. Then, they laterally moved through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion. The tradecraft and speed employed by the actor suggest a competent threat actor with a clear playbook of what to access to achieve their intentions and objectives. While Deepwatch has observed exploitation in a subset of our customers, the overall scale of exploitation is unknown. However, exploitation, followed by hands-on-keyboard activity, is likely limited and targeted. 

What You Need to Do

Now that hotfixes are available, we strongly urge all affected organizations to immediately patch the application due to the severe risk posed and wider exploitation observed.

For those organizations who can not update at this time or wish to have an additional layer of protection, organizations with a Palo Alto Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later). Be sure to monitor Palo Alto’s advisory and new threat prevention content updates for additional Threat Prevention IDs around CVE-2024-3400.

To apply the Threat IDs, customers must ensure that vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Additional information is available here.

In earlier versions of Palo Alto’s advisory, they recommended disabling device telemetry as a secondary mitigation action. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. Therefore, disabling device telemetry is no longer an effective mitigation. 

Additionally, customers should monitor and block known computed and atomic indicators and leverage YARA rules associated with this threat. However, remember that, based on the Pyramid of Pain, computed and atomic indicators are among the easiest for adversaries to change and cost them little. 

Deepwatch is currently reviewing impacted customer environments for suspicious activity relating to this exploit, along with performing detection research utilizing currently available IOCs and TTP’s. Customers will be notified by their customer success manager of any identified issues.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog