Security News > 2024 > April > CVE-2024-3400 exploited: Unit 42, Volexity share more details about the attacks

Earlier today, Palo Alto Networks revealed that a critical command injection vulnerability in the company's firewalls has been exploited in limited attacks and has urged customers with vulnerable devices to quickly implement mitigations and workarounds.

Palo Alto Networks' Unit 42 and Volexity have now released threat briefs with more information about the attacks, threat hunting queries, YARA rules, and indicators of compromise.

"We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we've analyzed thus far is limited to a single threat actor. We also assess that additional threat actors may attempt exploitation in the future," Unit 42 researchers noted.

Volexity threat researchers have also detailed the Python backdoor, which allows the attacker to execute additional commands on the device via specially crafted network requests.

"As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability," they also found.

"On April 7, 2024, Volexity observed the attacker attempting and failing to deploy a backdoor on a customer's firewall device. Three days later, on April 10, 2024, was observed exploiting firewall devices to successfully deploy malicious payloads. A second compromise Volexity observed on April 11, 2024, followed a nearly identical playbook."

News URL

https://www.helpnetsecurity.com/2024/04/12/palo-alto-networks-firewalls-cve-2024-3400-exploited/