Full Report
Last month, Volexity reported on its discovery of zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor Volexity tracks as UTA0218. Palo Alto Networks released an advisory and threat protection signature for the vulnerability within 48 hours of Volexity's disclosure of the issue to Palo Alto Networks, with official patches and fixes following soon after. Volexity has conducted several additional incident response investigations and proactive analyses of Palo Alto Networks firewall devices since the initial two cases described in Volexity’s blog post. These recent investigations were based primarily on data collected from customers generating a tech support file (TSF) from their devices and providing them to Volexity. From these investigations and analyses, Volexity has observed the following: Shortly after the advisory for CVE-2024-3400 was released, scanning and exploitation of the vulnerability immediately increased. The uptick in exploitation appears to have been associated […] The post Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices appeared first on Volexity.
Analysis Summary
# Incident Report: Exploitation of Palo Alto Networks GlobalProtect Vulnerability (CVE-2024-3400)
## Executive Summary
Threat actor UTA0218 exploited an unauthenticated Remote Code Execution (RCE) zero-day vulnerability (CVE-2024-3400) in Palo Alto Networks GlobalProtect gateways. Initial exploitation occurred in late March 2024, evidenced by validation attempts and subsequent configuration data exfiltration across multiple exploited organizations globally. Response primarily involved deploying vendor patches and leveraging Tech Support File (TSF) analysis for detection and verification.
## Incident Details
- Discovery Date: On or shortly before April 12, 2024 (Volexity's reporting date)
- Incident Date: Late March 2024 (Initial exploitation)
- Affected Organization: Multiple organizations spanning numerous verticals and geographic regions
- Sector: Undisclosed (Multiple verticals observed)
- Geography: Global
## Timeline of Events
### Initial Access
- Date/Time: Late March 2024
- Vector: Unauthenticated Remote Code Execution via CVE-2024-3400 in Palo Alto Networks GlobalProtect feature.
- Details: Attackers used the vulnerability to execute simple commands, including placing zero-byte files to validate successful access.
### Lateral Movement
- Not explicitly detailed in the initial phase, but follow-on activity by other threat actors (post-PoC release) occurred. UTA0218's primary observed post-exploitation action was data collection.
### Data Exfiltration/Impact
- Exfiltration of the firewall’s running configuration was the most common post-exploitation activity observed across compromised devices.
### Detection & Response
- Detection relied largely on retrospective analysis of Tech Support Files (TSF), specifically searching logs like `/var/log/pan/gpsvc.log` for unique command injection indicators.
- Palo Alto Networks released an advisory and threat protection signature within 48 hours of Volexity's disclosure, followed by official patches.
## Attack Methodology
- Initial Access: Exploitation of CVE-2024-3400 (GlobalProtect RCE).
- Persistence: Not explicitly detailed, but command injection was used.
- Privilege Escalation: The RCE vulnerability inherently granted root access to the device.
- Defense Evasion: Not explicitly detailed, but log tampering would be possible given root access.
- Credential Access: Not explicitly detailed.
- Discovery: Exfiltration of the running configuration suggests the goal was inventory and potential future access planning.
- Lateral Movement: Not explicitly detailed.
- Collection: Retrieval of the running configuration file via command execution.
- Exfiltration: Configuration data was exfiltrated (method not detailed in the provided text).
- Impact: Information disclosure via configuration theft.
## Impact Assessment
- Financial: Not quantified.
- Data Breach: Firewall running configuration files. Volume unknown, but sensitive network state information was compromised.
- Operational: Potential operational disruption due to the need for immediate patching and investigation on edge devices.
- Reputational: Affected organizations faced security scrutiny due to zero-day exploitation of core security infrastructure.
## Indicators of Compromise
- Network indicators: Increased scanning leveraging CVE-2024-3400 immediately following the advisory release.
- File indicators: None provided other than zero-byte files placed for validation.
- Behavioral indicators: Log entries in **/var/log/pan/gpsvc.log** containing path traversal and command injection sequences, such as: `failed to unmarshal session(.././.././.././.././.././.././.././.././../opt/panlogs/tmp/device_telemetry/minute/'}|{echo,Y3AgL29wdC9wYW5jZmcvbWdtdC9zYXZlZC1jb25maWdzL3J1bm5pbmctY29uZmlnLnhtbCAvdmFyL2FwcHdlYi9zc2x2cG5kb2NzL2dsb2JhbC1wcm90ZWN0L2MuY3Nz}|{base64,-d}|bash|{') map , EOF`
## Response Actions
- Containment: Patching/fixing the vulnerability once advisories and patches were released by Palo Alto Networks.
- Eradication: Not detailed, likely focused on system hardening after patching.
- Recovery: Not detailed.
## Lessons Learned
- Edge devices, especially firewalls and VPN concentrators, are prime targets for zero-day exploitation due to their direct exposure to the internet.
- The speed and severity of exploitation increase immediately after a public advisory, meaning organizations must apply emergency patches rapidly.
- Tech Support Files (TSFs) contain critical forensic data, but log files within them can be tampered with by an attacker who gains root access.
- Proactive capability to collect and analyze system memory across infrastructure is invaluable for validating compromise when logs may be untrustworthy.
## Recommendations
- Remain vigilant for new exploitation activity immediately following vendor security advisories for edge devices.
- Implement network security monitoring that broadly applies to edge devices, not just internal analysis.
- Establish capabilities for memory acquisition and analysis on critical perimeter devices to fully validate compromise state against potentially manipulated log files.
- Organizations should review logs like `/var/log/pan/gpsvc.log` for command injection artifacts related to CVE-2024-3400 if patching was delayed.