Friday, January 24, 2025
HomeCVE/vulnerabilityOperation MidnightEclipse: Hackers Actively Exploiting Palo Alto Networks Zero-Day Flaw

Operation MidnightEclipse: Hackers Actively Exploiting Palo Alto Networks Zero-Day Flaw

Published on

SIEM as a Service

Follow Us on Google News

The Palo Alto Networks PAN-OS software has a critical command injection vulnerability that allows an unauthorized attacker to run arbitrary code on the firewall with root access. 

The vulnerability is identified as CVE-2024-3400, with a CVSS score of 10.0. Operation MidnightEclipse has been coined to describe its exploit.

Palo Alto Networks confirmed targeted attacks using this vulnerability last Friday in an alert, crediting a threat actor for known exploitation and noting the possibility of further exploitation by threat actors.

Only PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls are configured with device telemetry enabled, and either the GlobalProtect gateway or GlobalProtect portal (or both) are affected by this issue. 

Prisma Access, Panorama appliances, and cloud firewalls (Cloud NGFW) are unaffected by this flaw. 

How Attackers Exploited The Flaw?

Using the vulnerability, the attackers set up a cron job that retrieves commands hosted on an external server once every minute.

The bash shell is then used to carry out these commands. Palo Alto said the URL is believed to be a delivery system for a firewall backdoor running on Python.

The embedded backdoor component that carries out the threat actor’s directives is decoded and operated by another Python script that is written and launched by the Python file.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The threat actor was observed to be remotely exploiting the firewall to download more tooling, establish a reverse shell, change course into internal networks, and eventually steal data.

Palo Alto Networks released a hotfix to address command injection vulnerability in its custom operating system.

The attack was probably the result of a state-sponsored threat actor’s campaign, which security experts discovered began in March.

According to the threat intelligence firm that discovered it, Volexity tracks a threat actor named UTA0218 that started taking advantage of the zero-day vulnerability on March 26. 

Based on the resources needed to find and exploit the zero-day, the type of victims targeted, and the complexity of a Python-coded backdoor the threat actors placed to gain additional access to victim networks, Volexity attributes the attack to a government.

According to Volexity, zero-day exploitation appears to be targeted and restricted. However, as of this writing, “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems does appear to have occurred at the time of writing.”

Volexity discovered proof that after the intrusions, the attackers switched to internal networks.

The Active Directory database, as well as browser data from Microsoft Edge and Google Chrome, were among the critical Windows files that the threat actors targeted.

Hotfixes Released

The issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. 

Additionally, the company said that the hotfixes for commonly deployed maintenance releases will be made available.

Palo Alto Networks advises users to watch for unusual behavior on their networks and investigate any sudden activity.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...