Summary:
Arctic Wolf has reported a series of intrusions targeting Palo Alto Networks firewall devices, exploiting recently disclosed vulnerabilities (CVE-2024-0012 and CVE-2024-9474). These breaches involved the download of various malicious payloads, including the Sliver C2 framework and coinminer binaries. Organizations are urged to monitor firewall logs for unusual username activity as a proactive defense measure.
#PaloAltoNetworks #ThreatDetection #IncidentResponse
Arctic Wolf has reported a series of intrusions targeting Palo Alto Networks firewall devices, exploiting recently disclosed vulnerabilities (CVE-2024-0012 and CVE-2024-9474). These breaches involved the download of various malicious payloads, including the Sliver C2 framework and coinminer binaries. Organizations are urged to monitor firewall logs for unusual username activity as a proactive defense measure.
#PaloAltoNetworks #ThreatDetection #IncidentResponse
Keypoints:
- Multiple intrusions detected across various industries targeting Palo Alto Networks firewall devices.
- Exploitation of vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access.
- Malicious payloads downloaded over HTTP, including Sliver C2 framework and coinminer binaries.
- Monitoring for unusual characters in usernames can aid in early detection of attacks.
- Threat actors rapidly weaponize newly disclosed vulnerabilities, especially for perimeter devices.
- Data exfiltration attempts included retrieval of sensitive firewall configuration files and credentials.
- Deployment of obfuscated PHP webshells and XMRig coinminer observed in some cases.
- Arctic Wolf has implemented new detections to protect customers from these threats.
MITRE Techniques:
- Initial Access (T1190): Exploited CVE-2024-0012 to gain administrator access to the management web interface of devices running PAN-OS software.
- Privilege Escalation (T1068): Exploited CVE-2024-9474 to elevate privileges to root on devices running PAN-OS software.
- Defense Evasion (T1027): Obfuscated multiple scripts and malicious payloads.
- Defense Evasion (T1070.003): Cleared bash history to remove indicators of compromise.
- Defense Evasion (T1070.006): Used the touch command to modify file timestamps to hide modifications.
- Credential Access (T1003.008): Utilized the cat command to output file contents of /etc/passwd and /etc/shadow.
- Collection (T1560): Utilized the tar command to archive staged data for exfiltration.
- Collection (T1119): Automatically collected firewall configuration information.
- Collection (T1074.001): Output sensitive information to random files before bundling for exfiltration.
- Command-and-Control (T1105): Utilized wget and curl to retrieve files from C2 addresses.
- Impact (T1496.001): Deployed XMRig coinminer to utilize device resources for cryptocurrency mining.
IoC:
- [IPv4 Address] 104.131.69[.]106
- [IPv4 Address] 104.21.52[.]167
- [IPv4 Address] 156.244.14[.]127
- [IPv4 Address] 180.210.220[.]139
- [IPv4 Address] 143.198.1[.]178
- [IPv4 Address] 38.180.147[.]18
- [IPv4 Address] 31.41.221[.]158
- [IPv4 Address] 185.196.9[.]154
- [IPv4 Address] 95.164.5[.]41
- [IPv4 Address] 93.113.25[.]46
- [IPv4 Address] 107.191.48[.]109
- [IPv4 Address] 38.60.214[.]5
- [IPv4 Address] 46.8.226[.]75
- [URL] 38.60.214[.]5/2.txt
- [URL] 46.8.226[.]75/1.txt
- [URL] 93.113.25[.]46:8088/pay.txt
- [Domain] img.dxyjg[.]com
- [URL] sys.traceroute[.]vip/actions/register.html?q=88238714&yh=1743w7344
- [IPv4 Address] 77.221.158[.]154
- [SHA256 Hash] A3092BFA4199DEF7FC525465895EE3784C6FCF55F0A7E9C8436C027E0F41CB4B
Full Research: https://arcticwolf.com/resources/blog-uk/threat-campaign-targeting-palo-alto-networks-firewall-devices/