At a glance.
- Palo Alto Networks warns of critical VPN zero-day.
- Alleged developers of the Firebird RAT arrested.
- Ukraine-linked hackers deploy ICS malware against Russian infrastructure company.
Palo Alto Networks warns of critical VPN zero-day.
Palo Alto Networks on Friday disclosed a critical zero-day vulnerability (CVE-2024-3400) affecting its GlobalProtect VPN product, SecurityWeek reports. The company began issuing hotfixes for the flaw on Sunday. Palo Alto's Unit 42 said in a threat briefing, "A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled."
The company added, "We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor. We also assess that additional threat actors may attempt exploitation in the future."
Researchers at Volexity published a report on the exploitation of the flaw, stating, "The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations."