Researchers at #Volexity revealed that multiple #Russian threat actors are conducting social-engineering & spear-phishing to target organizations with the ultimate goal of compromising #Microsoft 365 accounts via #DeviceCodeAuthentication phishing.

🔗 https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/na

Volexity discovered a zero-day exploitation of a vulnerability in Palo Alto Networks' GlobalProtect firewall devices, identified as CVE-2024-3400. This vulnerability allowed unauthenticated remote code execution, enabling attackers to execute commands on the device via specially crafted network requests. The attacker, known as UTA0218, attempted to install a custom Python backdoor named UPSTYLE on the firewall. This backdoor was used to execute additional commands on the device. The exploitation was observed to have started on March 26, 2024, with the attacker testing the vulnerability by placing zero-byte files on firewall devices. By April 10, 2024, UTA0218 successfully deployed malicious payloads on multiple devices. After exploiting the devices, the attacker downloaded additional tools to facilitate access to victims' internal networks, extracting sensitive credentials and other files. The exploitation was limited and targeted, but there were signs of potential reconnaissance activity aimed at identifying more vulnerable systems. Palo Alto Networks confirmed the vulnerability and issued an advisory, including a threat protection signature and a timeline for a fix expected by April 14, 2024. Volexity recommends organizations using GlobalProtect firewall devices to read the advisory and take necessary mitigation actions to protect against further exploitation.

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

#cybersecurity #paloaltonetworks #unit42 #panos #vulnerability #firewall #globalprotect #UTA0218 #volexity

Palo Alto Networks and Unit 42 are actively tracking and sharing information about a critical vulnerability, CVE-2024-3400, which affects their PAN-OS software. This vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. It has a CVSS score of 10.0, indicating a high severity. The vulnerability is specific to PAN-OS 10.2, 11.0, and 11.1 versions when a GlobalProtect gateway and device telemetry are enabled. It does not impact cloud firewalls, Panorama appliances, or Prisma Access.

Palo Alto Networks has identified malicious exploitation of this vulnerability under the name Operation MidnightEclipse. They believe the initial exploitation is limited to a single threat actor but warn that additional actors may attempt to exploit it in the future. The company is providing interim guidance to mitigate the vulnerability, including recommendations for customers with a Threat Prevention subscription to block attacks by enabling Threat ID 95187. For those who cannot apply this mitigation immediately, Palo Alto Networks suggests temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.

The vulnerability is set to be fixed in an upcoming release of PAN-OS 10.2, 11.0, 11.1, and all later versions, with an estimated release date of April 14, 2024. Palo Alto Networks encourages customers to monitor their networks for abnormal activity and investigate any unexpected network activity as a best practice. They also thank Volexity for discovering this issue and their ongoing collaboration and partnership.

https://unit42.paloaltonetworks.com/cve-2024-3400/

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

#cybersecurity #paloaltonetworks #unit42 #panos #vulnerability #firewall #globalprotect #cve #midnighteclipse #threat #volexity