Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

MITRE Techniques

• [T1068 ] Exploitation for Privilege Escalation – The buffer overflow allowed the attacker to gain root privileges on the firewall after unauthenticated access (‘allows an unauthenticated attacker to execute arbitrary code with root privileges’).
• [T1190 ] Exploit Public-Facing Application – The exposed User-ID Authentication Portal was targeted over network traffic to achieve initial compromise (‘sending specially crafted packets through network traffic’).
• [T1055 ] Process Injection – The attacker injected shellcode into an nginx worker process after successful exploitation (‘the attacker was able to inject shellcode into an nginx worker process’).
• [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Not explicitly described as SMB, but Active Directory targeting and lateral access imply network-based internal administration after compromise (‘conducted Active Directory (AD) enumeration’).
• [T1087.002 ] Account Discovery: Domain Account – The attackers enumerated Active Directory identities and domains using credentials likely obtained from the firewall (‘using the firewall’s service account credentials to target domain root and DomainDnsZones’).
• [T1070.004 ] File Deletion – They removed crash core dumps, nginx crash entries, and other evidence to hinder investigation (‘deleting nginx crash entries and nginx crash records, as well as removing crash core dump files’).
• [T1070.001 ] Clear Windows Event Logs – The campaign included log cleanup to reduce detection, including audit-log evidence removal (‘deleted ptrace injection evidence from the audit log’).
• [T1090 ] Proxy – EarthWorm and ReverseSocks5 were used to create SOCKS5 tunnels and proxy traffic through the compromised environment (‘initiates a forward SOCKS5 server’ / ‘creates a SOCKS5 proxy tunnel’).
• [T1572 ] Protocol Tunneling – EarthWorm encapsulated traffic such as RDP and SSH within SOCKS tunnels to move covertly (‘encapsulates traffic for protocols like RDP and SSH within SOCKS tunnels’).
• [T1078 ] Valid Accounts – The attackers used credentials likely obtained from the firewall to perform AD enumeration and later access (‘using the firewall’s service account credentials’).