Full Report
Volexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response to this critical issue. Their research can be found here. On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. Volexity received alerts regarding suspect network traffic emanating from the customer’s firewall. A subsequent investigation determined the device had been compromised. The following day, April 11, 2024, Volexity observed further, identical exploitation at another one of its NSM customers by the same threat actor. The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within […] The post Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) appeared first on Volexity.
Analysis Summary
# Incident Report: Zero-Day Exploitation of Palo Alto GlobalProtect (CVE-2024-3400)
## Executive Summary
Between March 26 and April 10, 2024, threat actor UTA0218 exploited a critical unauthenticated Remote Code Execution (RCE) zero-day vulnerability (CVE-2024-3400) in Palo Alto Networks GlobalProtect features. The compromise allowed attackers to establish reverse shells, download custom backdoors (UPSTYLE), exfiltrate configuration data, and move laterally within victim networks. Response involved coordinated investigation with Palo Alto Networks PSIRT, leading to the issuance of advisories and threat protection signatures, urging immediate patching.
## Incident Details
- Discovery Date: April 10, 2024 (First observed active exploitation)
- Incident Date: Earliest observed activity was reconnaissance/testing on March 26, 2024.
- Affected Organization: Multiple initial network security monitoring (NSM) customers of Volexity.
- Sector: Undisclosed (Implied IT/Security infrastructure based on service recipient)
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: Earliest attempts noted on March 26, 2024; successful exploitation began around April 10, 2024.
- Vector: Unauthenticated Remote Code Execution via CVE-2024-3400 in Palo Alto Networks PAN-OS GlobalProtect feature (OS command injection).
- Details: Attackers initially tested exploitability by placing zero-byte files on firewall devices (March 26). Successful attacks led to the deployment of a reverse shell, enabling download of further tools.
### Lateral Movement
- Details: Attackers leveraged exfiltrated configuration data as an entry point to move laterally within the victim organizations' internal networks.
### Data Exfiltration/Impact
- Details: Attackers focused on exporting sensitive configuration data from the compromised firewall devices. They also downloaded additional tooling to maintain access and facilitate network navigation.
### Detection & Response
- Date/Time: April 10, 2024 (Volexity identified suspect traffic at Customer 1). April 11, 2024 (Identified identical exploitation at Customer 2).
- Response Actions: Volexity worked closely with the customer and Palo Alto Networks PSIRT to investigate the root cause. Palo Alto Networks confirmed the vulnerability (CVE-2024-3400) and released an advisory including an immediate threat protection signature.
## Attack Methodology
- Initial Access: Exploitation of CVE-2024-3400 (Unauthenticated RCE).
- Persistence: Attempted installation of a custom Python backdoor named UPSTYLE on the firewall devices.
- Privilege Escalation: Not explicitly detailed, but RCE immediately grants high-level access to the firewall OS.
- Defense Evasion: Use of a zero-day vulnerability and deployment of a custom backdoor.
- Credential Access: Implied through lateral movement activity following initial access, likely via extracted credentials from internal systems.
- Discovery: Attackers utilized initial access to gather configuration data and move into the internal network structure.
- Lateral Movement: Leveraging stolen/exfiltrated configuration data to move into internal networks.
- Collection: Extracting sensitive credentials and other files necessary for sustained access.
- Exfiltration: Data exfiltration occurred, focusing initially on configuration data.
- Impact: Establishment of network access for further exploitation and data theft.
## Impact Assessment
- Financial: Not estimated in the provided text.
- Data Breach: Sensitive configuration data was accessed and exported. Credentials and other files enabling access to internal networks were also reportedly extracted.
- Operational: Limited operational impact described, though ongoing compromise requires investigation of internal networks.
- Reputational: Not discussed, though public disclosure of a critical vulnerability affects vendor and customer trust.
## Indicators of Compromise
- Network Indicators: (None defanged provided in text, only mention of remote servers used for downloading tools).
- File Indicators: Custom Python backdoor named UPSTYLE.
- Behavioral Indicators: Placement of zero-byte files on firewalls (reconnaissance/testing); creation of reverse shells on firewall devices; download of tooling post-initial compromise.
## Response Actions
- Containment: Palo Alto Networks issued a threat protection signature available to customers.
- Eradication: Affected organizations are strongly advised to investigate systems for existing breaches, as mitigation/patching will not remediate existing compromise.
- Recovery: Organizations must patch vulnerabilities (fix expected April 14, 2024) and conduct forensic reviews of internal networks.
## Lessons Learned
- Key Takeaways: A critical, unauthenticated RCE zero-day (CVSS 10.0) in perimeter devices like GlobalProtect provides immediate, high-value access to threat actors. Speed in exploiting these vulnerabilities is characteristic of an organized threat actor (UTA0218).
- What could have been done better: Early reconnaissance attempts (March 26 testing) were not universally detected or publicly known until the successful exploitation wave in April.
## Recommendations
- Prevention measures for similar incidents: Immediately apply protections/patches released by Palo Alto Networks for CVE-2024-3400. Conduct thorough forensic investigations on internal networks of any potentially affected firewall to scope the lateral movement and data extraction. Deploy network security monitoring capable of detecting highly targeted RCE exploitation signatures.