H-ISAC Threat Update: Palo Alto Networks Has Released Security Updates to Address Critical Vulnerability CVE-2024-3400

H-ISAC TLP White Threat Bulletin
April 14, 2024

Summary

On April 14, Palo Alto Networks released security updates for the critical unauthenticated remote code execution flaw CVE-2024-3400 affecting GlobalProtect. In the latest update by Volexity, the cyber company who initially discovered the exploitation, the incident is attributed to a threat actor tracked as UTA0218, with the earliest exploitation identified dating back to March 26, 2024.

Analysis:

Palo Alto Networks has released anticipated patches for critical vulnerability CVE-2024-3400, which has a CVSS score of 10/10. CVE-2024-3400 is a critical vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect. The flaw allows unauthenticated attackers to execute code remotely on compromised devices. The flaw was discovered during active exploitation as a zero-day and was reported last Friday, April 12. The exploitation was dubbed Operation Midnight Eclipse. The attackers have leveraged the flaw to pivot and eventually move laterally inside compromised networks to steal sensitive data.

According to a report published by Volexity, the cyber company credited with discovering the exploitation, the threat actor, tracked as UTA0218, exploited firewall devices, created reverse shells, and downloaded tools for further access. A custom Python-based backdoor called UPSTYLE was deployed to execute commands via specially crafted network requests. The earliest identified exploitation attempts date back to March 26, 2024, with successful exploitation and lateral movement observed on April 10 and 11, 2024. The attacker targeted sensitive data, including keys, Active Directory credentials, and user data.

Due to the sophisticated TTPs used, it is suspected that UTA0218 is a state-backed threat actor; however, confident attribution to any state has not yet been made.

More information on the vulnerability can be found in a linked Threat Bulletin previously distributed by Health-ISAC here.

View the detailed report below. 

 

Palo Alto recommends immediately applying available patches. In cases where patching is not available, certain workarounds can be applied; however, these should be considered only temporary solutions until patching is possible.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Letter/Comment
AHA Letter to Senate Finance Committee for May 1 Hearing on Change Healthcare Cyberattack
Letter/Comment
AHA Letter to House E&C Subcommittee for May 1 Hearing on Change Healthcare Cyberattack
Advisory
Homeland Security Proposes New Cyber Incident Reporting Requirements
Member
Special Bulletin
UnitedHealth Group Provides Update on Data Impacted By Cyberattack
Member
Testimony
AHA House Statement on “Fiscal Year 2025 Department of Health and Human Services Budget”
Public
Testimony
AHA Testimony for Energy and Commerce Subcommittee Hearing on Cybersecurity