VTA-004484 – RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit

Cybercriminals using the RedTail cryptocurrency mining malware have found a new security flaw in Palo Alto Networks firewalls to boost their attacks. This flaw, known as CVE-2024-3400, is very serious and allows attackers to run any code on the firewall with top-level access. Once they exploit this flaw, they run a script that downloads the RedTail malware, which is customized for the computer’s processor.

The RedTail malware has been updated with advanced techniques to avoid detection. The attackers use private mining pools, which cost more but give them better control over the mining process. They also use other known security flaws in various devices, like TP-Link routers and VMware software, to spread their malware.

RedTail was first discovered in January 2024 when it exploited a flaw known as Log4Shell. In March 2024, researchers found that it was also using flaws in SonicWall and ThinkPHP to spread. The latest version, found in April, includes major updates like an encrypted configuration and no visible cryptocurrency wallet, suggesting the use of private mining pools. This version is harder to detect and remove because it uses advanced techniques to hide itself and stop debugging tools.

Severity:
High

Attack Surfaces:
Endpoint

Tactics:

Command and Control, Execution, Persistence, Resource Development

 

Techniques:

T1059 – Command and Scripting Interpreter

T1027 – Obfuscated Files or Information

T1496 – Resource Hijacking

Indicator of Compromise:
https://otx.alienvault.com/pulse/665aaed9affa963083180b64

References:
1. https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit

SuperPRO’s Threat Countermeasures Procedures: 
1. Ensure that Palo Alto Networks firewalls are updated to patch the CVE-2024-3400 vulnerability.
2. Keep all systems updated with latest security patches.
3. Stay vigilant and monitor for threats actively.

Contributed by: Eddy Leong