Summary:
Arctic Wolf has reported a series of intrusions targeting Palo Alto Networks firewall devices, exploiting recently disclosed vulnerabilities (CVE-2024-0012 and CVE-2024-9474). These breaches involved the download of various malicious payloads, including the Sliver C2 framework and coinminer binaries. Organizations are urged to monitor firewall logs for unusual username activity as a proactive defense measure.
#PaloAltoNetworks #ThreatDetection #IncidentResponse
Arctic Wolf has reported a series of intrusions targeting Palo Alto Networks firewall devices, exploiting recently disclosed vulnerabilities (CVE-2024-0012 and CVE-2024-9474). These breaches involved the download of various malicious payloads, including the Sliver C2 framework and coinminer binaries. Organizations are urged to monitor firewall logs for unusual username activity as a proactive defense measure.
#PaloAltoNetworks #ThreatDetection #IncidentResponse
Keypoints:Multiple intrusions detected across various industries targeting Palo Alto Networks firewall devices. Exploitation of vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Malicious payloads downloaded over HTTP, including Sliver C2 framework and coinminer binaries. Monitoring for unusual characters in usernames can aid in early detection of attacks. Threat actors rapidly weaponize newly disclosed vulnerabilities, especially for perimeter devices. Data exfiltration attempts included retrieval of sensitive firewall configuration files and credentials. Deployment of obfuscated PHP webshells and XMRig coinminer observed in some cases. Arctic Wolf has implemented new detections to protect customers from these threats.
MITRE Techniques:Initial Access (T1190): Exploited CVE-2024-0012 to gain administrator access to the management web interface of devices running PAN-OS software. Privilege Escalation (T1068): Exploited CVE-2024-9474 to elevate privileges to root on devices running PAN-OS software. Defense Evasion (T1027): Obfuscated multiple scripts and malicious payloads. Defense Evasion (T1070.003): Cleared bash history to remove indicators of compromise. Defense Evasion (T1070.006): Used the touch command to modify file timestamps to hide modifications. Credential Access (T1003.008): Utilized the cat command to output file contents of /etc/passwd and /etc/shadow. Collection (T1560): Utilized the tar command to archive staged data for exfiltration. Collection (T1119): Automatically collected firewall configuration information. Collection (T1074.001): Output sensitive information to random files before bundling for exfiltration. Command-and-Control (T1105): Utilized wget and curl to retrieve files from C2 addresses. Impact (T1496.001): Deployed XMRig coinminer to utilize device resources for cryptocurrency mining.
IoC:[IPv4 Address] 104.131.69[.]106 [IPv4 Address] 104.21.52[.]167 [IPv4 Address] 156.244.14[.]127 [IPv4 Address] 180.210.220[.]139 [IPv4 Address] 143.198.1[.]178 [IPv4 Address] 38.180.147[.]18 [IPv4 Address] 31.41.221[.]158 [IPv4 Address] 185.196.9[.]154 [IPv4 Address] 95.164.5[.]41 [IPv4 Address] 93.113.25[.]46 [IPv4 Address] 107.191.48[.]109 [IPv4 Address] 38.60.214[.]5 [IPv4 Address] 46.8.226[.]75 [URL] 38.60.214[.]5/2.txt [URL] 46.8.226[.]75/1.txt [URL] 93.113.25[.]46:8088/pay.txt [Domain] img.dxyjg[.]com [URL] sys.traceroute[.]vip/actions/register.html?q=88238714&yh=1743w7344 [IPv4 Address] 77.221.158[.]154 [SHA256 Hash] A3092BFA4199DEF7FC525465895EE3784C6FCF55F0A7E9C8436C027E0F41CB4B
Full Research: https://arcticwolf.com/resources/blog-uk/threat-campaign-targeting-palo-alto-networks-firewall-devices/