Cyber Threat Report: 'Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)'

This blog post from Volexity details exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS. The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to create a reverse shell and then download further tools to progress the attack. The threat actor also attempted to install a custom Python backdoor on the firewall, given the name UPSTYLE by the researchers. Volexity observed similar attacks at multiple customers and advises organizations using GlobalProtect firewalls to read the advisory published by Palo Alto. The post includes technical analysis of the UPSTYLE back door and provides additional indicators of compromise (IoCs) related to the attacks. Although the researchers don't fully attribute UTA0218, they do state that 'assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.'