Hackers Target Palo Alto Firewalls in Operation MidnightEclipse

Why Trust Techopedia
Key Takeaways

  • Palo Alto Networks launches probe after major security flaw established.
  • Researchers are working to identify the source of the Python backdoor attack.
  • “Highly likely” a state-sponsored actor is responsible, says cybersecurity firm.

Palo Alto Networks and its internal security researchers, Unit 42, have launched an investigation as unidentified threat actors have exploited a PAN-OS flaw.

The hackers have been utilizing a critical zero-day vulnerability in Palo Alto’s software with arbitrary code and root privileges on impacted firewalls.

CVE-2024-3400 was identified as the critical vulnerability in PAN-OS software, with 10.2, 11.0, and 11.1 all targeted. The campaign is thought to have been orchestrated under Operation MidnightEclipse, but the perpetrator is unknown.

An initial threat brief from security researchers has assessed the scale of the threat.

Palo Alto Networks acknowledged being aware of the malicious exploitation of the issue and stated that they are monitoring the initial exploitation of the vulnerability under the name Operation MidnightEclipse.

They assessed with high confidence that the known exploitation they analyzed thus far is limited to a single threat actor. They also estimated that additional threat actors might attempt exploitation in the future.

With the vulnerability exposed, the malicious actor could run a cronjob every minute to activate access commands hosted on an external server.

Researchers have been unable to break into the commands set up by the hackers. Still, they believe a second Python-based backdoor was attempted for further penetration.

Experts Discuss the Hack

Experts at cybersecurity firm Volexity have referenced this additional Python backdoor as UPSTYLE. Researchers have not yet confirmed the campaign’s primary target or how many victims are impacted, but extracting sensitive data is thought to be the key motivation of the action.

“Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities,” said Volexity.

Volexity states that it is highly likely that UTA0218, the attacker’s codename, is a state-backed threat actor. This conclusion was based on the resources required to develop and exploit a vulnerability of this nature, the types of victims targeted by this actor, and the capabilities displayed in installing the Python backdoor and gaining further access to victim networks.