Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

Image Credit by Pixabay

VTA-004480 – Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

A critical security vulnerability, identified as CVE-2024-3400, allows unauthenticated attackers to execute code with root privileges on PAN-OS 10.2, 11.0, and 11.1 firewalls with GlobalProtect gateway and telemetry enabled. Dubbed Operation MidnightEclipse, attackers exploit this flaw to create cron jobs fetching commands from a remote server, likely to install a Python backdoor named UPSTYLE. This backdoor writes and executes commands, storing results in legitimate firewall files to evade detection. Notably, attackers pivot into internal networks, exfiltrating data and targeting domain backup keys and Active Directory credentials. U.S. agencies must patch by 19 April 2024 per CISA’s directive, with Palo Alto Networks releasing fixes by 14 April 2024. The threat, likely state-backed due to its sophistication, emphasizes the importance of monitoring for lateral movement from affected devices. This incident underscores the ongoing threat posed by attackers targeting edge devices, showcasing a sophisticated playbook indicative of a well-resourced adversary.


Attack Surfaces:
Remote Access Service

Command and Control, Defense Evasion, Persistence, Privilege Escalation

T1562 – Impair Defenses
T1071 – Application Layer Protocol
T1547 – Boot or Logon Autostart Execution

Indicator of Compromise:


SuperPRO’s Threat Countermeasures Procedures: 
1. Regularly check for updates and apply them promptly.
-> Strongly recommend to apply the patches provided by VMware to address this vulnerability and ensure that you apply to the appropriate patch for your specific version. VMware has released patches for different versions of vCenter Server.
2. Divide your network into smaller, isolated segments, each with its own set of security controls. This helps to contain the impact of lateral movement.
3. Review and update firewall the rules to restrict traffic ingoing and outgoing from Palo Alto Networks devices. Disable unnecessary services and protocols in order to reduce the attack surface.
4. Follow least privilege access in granting access only to the resources and systems that are necessary for each user or system.
5. Regularly back-up to ensures that even if your system is compromised, your critical data remains safe.

Contributed by: Syaff