Summary:
Darktrace’s Threat Research team has identified a significant increase in exploitation and post-exploitation activities targeting Palo Alto firewall devices, particularly following the disclosure of vulnerabilities CVE 2024-0012 and CVE-2024-9474. The report highlights the need for anomaly-based detection to combat evolving threats effectively.
#PaloAltoThreats #AnomalyDetection #FirewallExploitation
Darktrace’s Threat Research team has identified a significant increase in exploitation and post-exploitation activities targeting Palo Alto firewall devices, particularly following the disclosure of vulnerabilities CVE 2024-0012 and CVE-2024-9474. The report highlights the need for anomaly-based detection to combat evolving threats effectively.
#PaloAltoThreats #AnomalyDetection #FirewallExploitation
Keypoints:
- Darktrace observed a spike in exploitation of Palo Alto firewall devices in late November 2024.
- Vulnerabilities CVE 2024-0012 (authentication bypass) and CVE-2024-9474 (privilege escalation) were exploited.
- Post-exploitation activities included command and control (C2) connectivity, reconnaissance, and cryptomining.
- Initial payload retrieval involved the use of command line utilities like curl and Wget.
- Threat actors utilized the Sliver C2 platform for communication and payload delivery.
- Patterns of anomalous behavior were detected across multiple customer devices.
- Darktrace emphasizes the importance of anomaly-based detection in identifying these threats.
MITRE Techniques:
- Initial Access (T1190): Exploits vulnerabilities in public-facing applications to gain access.
- Execution (T1059): Uses command line interfaces to execute commands and scripts.
- Persistence (T1505): Deploys web shells to maintain access to compromised devices.
- Command and Control (T1071): Utilizes application layer protocols for C2 communication.
- Impact (T1496): Engages in resource hijacking, such as cryptomining activities.
IoC:
- [IP] 46.8.226.75
- [IP] 38.180.147.18
- [IP] 77.221.158.154
- [URL] bristol-beacon-assets.s3.amazonaws[.]com
- [URL] repositorylinux[.]org/linux.sh
- [URL] repositorylinux[.]org/cron.sh
- [SHA1] 90f6890fa94b25fbf4d5c49f1ea354a023e06510
- [SHA1] 8d82ccdb21425cf27b5feb47d9b7fb0c0454a9ca
- [SHA1] fefd0f93dcd6215d9b8c80606327f5d3a8c89712
- [SHA1] e5464f14556f6e1dd88b11d6b212999dd9aee1b1