April 13, 2024 at 09:01AM
Suspected state-sponsored hackers have exploited an unpatched zero-day in Palo Alto Networks firewalls (CVE-2024-3400) since March 26, breaching internal networks to steal data and credentials. Palo Alto Networks released mitigations until the patches were complete. Volexity tracked the malicious activity (UTA0218) and detected the backdoor ‘Upstyle,’ with detailed exploitation methods provided in their report.
From the meeting notes:
– Suspected state-sponsored hackers have been exploiting an unpatched zero-day in Palo Alto Networks firewalls tracked as CVE-2024-3400 since March 26, using the compromised devices to breach internal networks and steal data and credentials.
– Palo Alto Networks warned today that an unauthenticated remote code execution vulnerability in its PAN-OS firewall software was actively exploited and that patches would be released on April 14.
– A later report by Volexity, who discovered the zero-day flaw, has shed more details on how hackers have exploited the vulnerabilities since March to install a custom backdoor used to pivot to the target’s internal network and steal data.
– Volexity is tracking this malicious activity under the moniker UTA0218 and believes it is highly likely that state-sponsored threat actors are conducting the attacks.
– Volexity says two methods can be used to detect if a Palo Alto Networks firewall was compromised—one method is still being worked on with Palo Alto Networks, and the other involves generating a Tech Support File and monitoring network activity for specific connections and requests.
– Edge network devices have become a popular target for threat actors due to a lack of common support for security solutions and exposure to the internet.
– Previous instances of state-sponsored hacking campaigns targeting network devices from various manufacturers were mentioned, such as Fortinet, SonicWall, Cisco, and TP-Link.
Key takeaways from the meeting notes:
– The use of the unpatched zero-day vulnerability in Palo Alto Networks firewalls has allowed state-sponsored threat actors to breach internal networks and exfiltrate data since March 26.
– The vendor, Palo Alto Networks, is actively working on releasing patches to address the vulnerabilities in PAN-OS firewall software.
– Volexity has detailed the malicious activity under the moniker UTA0218 and highlighted methods for detecting compromised Palo Alto Networks firewalls.
– Edge network devices are increasingly targeted by threat actors due to their exposure and lack of typical security solutions.
Please let me know if you need any additional information or further clarification.