Volexity discovered a zero-day exploitation of a vulnerability in Palo Alto Networks' GlobalProtect firewall devices, identified as CVE-2024-3400. This vulnerability allowed unauthenticated remote code execution, enabling attackers to execute commands on the device via specially crafted network requests. The attacker, known as UTA0218, attempted to install a custom Python backdoor named UPSTYLE on the firewall. This backdoor was used to execute additional commands on the device. The exploitation was observed to have started on March 26, 2024, with the attacker testing the vulnerability by placing zero-byte files on firewall devices. By April 10, 2024, UTA0218 successfully deployed malicious payloads on multiple devices. After exploiting the devices, the attacker downloaded additional tools to facilitate access to victims' internal networks, extracting sensitive credentials and other files. The exploitation was limited and targeted, but there were signs of potential reconnaissance activity aimed at identifying more vulnerable systems. Palo Alto Networks confirmed the vulnerability and issued an advisory, including a threat protection signature and a timeline for a fix expected by April 14, 2024. Volexity recommends organizations using GlobalProtect firewall devices to read the advisory and take necessary mitigation actions to protect against further exploitation.
#cybersecurity #paloaltonetworks #unit42 #panos #vulnerability #firewall #globalprotect #UTA0218 #volexity