On April 10, Volexity discovered a zero-day vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS, which was being used by one of its network security monitoring customers. The Palo Alto Networks’ incident response team confirmed the vulnerability (CVE-2024-3400 CVSS 10/10) as an OS command injection issue that allows unauthenticated remote code execution. The threat actor, tracked by Volexity as UTA0218, was able to exploit the vulnerability remotely, create a reverse shell, and download further tools onto the device. Analysts determined that UTA0218 attempted to install a custom Python backdoor, dubbed UPSTYLE, on the firewall. The UPSTYLE backdoor facilitates the execution of additional commands on the device via specially crafted network requests. UTA0218’s primary focus was to export configuration data from the affected devices and then move laterally within the victim organizations. Open-source scanning platforms have reported upwards of 150,000 vulnerable devices.

Recommendations

• Immediately apply hotfixes or upgrade of PAN-OS. Previously provided countermeasures are not effective in mitigating CVE-2024-3400.
• Review the indicators of compromise (IOCs) provided in the Palo Alto threat brief, and additional resources found in the CISA alert.

For any further questions, contact us here at Cyber Command.