Understanding the Midnight Eclipse Activity and CVE 2024-3400

[Unidentified Person]: The [music] most important thing is, as I said, if it's when a critical vulnerability comes out, especially when there's known exploitation, that should always be a priority for mitigations and patching, even more so when it's an edge device like a firewall or VPN. [ Music ]

David Moulton: [Music] Welcome to Threat Vector, a podcast where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] In [music] today's episode, I'm going to be talking with Andy Piazza about midnight eclipse activity in CVE 2024-3400. Andy is a Senior Director of Threat Intel at Unit 42. In this episode, Andy and I will discuss a critical vulnerability in PAN OS software. While it's never a good feeling to discover that there's a vulnerability in your own cybersecurity product, we believe it is vitally important to be transparent and discuss for the good of our customers and the community. We'll be getting into the technical details of the vulnerability, the observed exploitation activity, and the mitigation strategies available to customers. We'll also provide insights into the methods used by the attackers, we've observed exploiting the vulnerability, and the importance of staying vigilant against such threats. Let's get right into our conversation. Andy, Palo Alto Networks has identified a critical command injection vulnerability, CVE 2024-3400, in its PAN OS software. What makes this vulnerability so critical?

Andy Piazza: Yeah. So the challenge with this, right, is this is a vulnerability that can be exploited by unauthenticated attackers to execute arbitrary code with root privileges. So let's translate that. That means effectively anybody, they don't have to be logged in, can run commands against our affected firewalls with the top level access. So root privileges is like the highest level permissions you can have. Makes this more challenging too, as we're talking about firewall devices. So this is usually your first device touching the Internet. This is one of those areas where you have kind of the least amount of security visibility on the device itself, being Internet facing. So this critical vulnerability in an Edge device is a really big deal that we need to encourage clients to patch as quickly as possible for.

David Moulton: Andy, this is related to what's being called Midnight Eclipse and Midnight Eclipse Activity. How is Midnight Eclipse different than the CVE?

Andy Piazza: So we're tracking Midnight Eclipse Activity, at least internally, we think of it as the activity against the vulnerability, it was kind of pre-publication of the proof of concept. And that's just our way of tracking what type of activity we believe is associated with the original threat groups that knew about this vulnerability when it was a zero day before it was published and came out into the public. So we are looking at anything around like the, I think it's about April 14th, 15th time frame, and before we're going to consider Midnight Eclipse. And then anything after we'll probably, as we continue our analysis, we'll end up with different names. But that analysis is ongoing as the situation continues to expand with our analysis.

David Moulton: So you mentioned April 14th, 15th, was that when Midnight Eclipse Activity was first identified?

Andy Piazza: No. The initial activity was identified by our partners over at Flexity on April 10th. They had a compromised client, they identified, they were able to see that there was a vulnerability in our firewall. They reached out to our product security and incident response team, our PSIRT. They began collaborating right away with us. You know, Flexity is a cyber-security firm, they focus on incident response, network security monitoring, and threat intelligence. They've been a really good partner with us. So we started working with them on April 10th to work through the intelligence in the incidents they were seeing and get some intelligence out into our actual security advisory later on.

David Moulton: Can you provide more detail on the specific tools that the threat actor installed and the sensitive credentials that they collected after establishing access to the firewall?

Andy Piazza: Yeah. So, you know, sticking to that pre-public exploit code release, right, so what the activity we're considering Midnight Eclipse, we saw threat actors leveraging native Linux commands. We saw them creating like a zero byte file, kind of test their access, and then we saw them switch to using Wget to pull a copy of the configuration file from the firewall. In that configuration file, there are some sensitive credentials, so they are traditionally used on the firewall itself, so we encourage clients looking for that type of activity. If we've seen that, we need to talk about like rolling credentials from those, right, or updating new passwords and stuff. But once we saw them interacting, what we call like level three activity, that means interactive access with the firewall, we saw them using, well, attempt to use a Python-based backdoor that Flexly had named Upstyle. However, the threat actor struggled a bit to get Upstyle operational, and they ended up switching back to using native Linux commands, again, using a cron job backdoor to carry out their post-exploitation activities. This cron job was effectively running every minute, and it executed a Wget command out to an external C2 server, and was pulling in a set of commands that the threat actor was pushing onto that external server. The Wget cron job would grab those commands, pull it in, and run it as bash on the firewall. So ultimately, with the exception of that Upstyle backdoor, we didn't see a lot of custom tooling or installation of external tools. We primarily saw this threat actor using living off the land techniques, which means they just used tools that are natively installed on the firewall.

David Moulton: Andy, how did the threat actor gain access to the client's firewalls?

Andy Piazza: So, yeah, with the threat actors, you know, they leveraged a previously unknown vulnerability in the PanOS software, that was allowing them to run those arbitrary commands. We won't go into the specifics of how the exploit worked, although there's proof of concept code out there, and a number of threat researchers have written plenty about it. But that is now available, patched in the available patches, so we encourage clients to install those patches and close those vulnerabilities.

David Moulton: Talk to me a little bit how Valexity and Palo Alto Networks respond to the Midnight Eclipse activity.

Andy Piazza: Yeah, so the Valexity and Palo Alto Networks product security and response team initially, right, they began collaborating on April 10th when Valexity identified the activity and they reached out to us. PSIRT, right, as we call our product security and response team, they reached out to Unit 42 Threat Intelligence and brought us into the conversation. We began assessing the activity as well, working with them. On April 10th, we published our security advisory for CVE-2024-3400 in parallel with our Unit 42 threat brief on Operation Midnight Eclipse. We also worked in parallel to time that blog with Valexity's blog on their zero-day activity they observed. We worked closely with Valexity team during that period and through subsequent responses to ensure that our findings and their findings were shared and we were pushing them out to defenders and our impacted clients.

David Moulton: When was the patch released, and what impact did it have on the threat researchers?

Andy Piazza: So we published the patch on April 14th and any time a patch is released for a critical vulnerability, especially for zero-day, it kind of starts a clock for security researchers and defenders, but also threat actors to try to figure out how the details of the vulnerability, right, how does that vulnerability work and to develop proof of concept code to exploit it. For security researchers, right, we use proof of concept or POCs, P-O-C's, to test and mitigate patches, right, so we want to run those after we've patched and see if they actually work or if we have mitigations in place. We can actually run that proof of concept exploit code to see if it actually works and to ensure our overall security posture is solid. Unfortunately, threat actors also are part of that race and they're going to use those publicly released POCs against unpatched organizations for their own malicious activities. This is one of the reasons, you know, we're working hard to analyze every finding and we're clustering them into kind of groups of activity and we're working to separate out and track what we believe is the original midnight eclipse activity from some of that post-public exploit code, what we can kind of consider opportunistic activities. This is, I just can't stress enough, anytime a patch is available for a perimeter device, especially when we're talking critical vulnerability or zero-day, organizations must prioritize those patches as quickly as possible and really especially too when there's known exploitation vulnerabilities.

David Moulton: What's the first non-midnight eclipse activity observed on customer firewalls and what analysis is being conducted?

Andy Piazza: So we're still working through that analysis and hope to have an update to the threat brief on a separate blog or a separate blog in the coming weeks. I can definitely say we saw an uptick in testing of the vulnerability within hours of the first public exploit code. Simple things of, like, test one, two, three, those types of things. So some of those are security researchers, we see, you know, widespread Internet scanning as the -- some of the common security tools that we use every day to defend clients starting to get some of those detections in place in their tools. So there is a lot of Internet noise we have to filter out and then there's a lot of kind of security researcher testing that we have to filter out and then we start clustering the different types of actual techniques that we see as we see tools or TTPs being used or tactic techniques and procedures, sorry, TTPs. But all my threat intelligence teams right now are working through that clustering and again, we're hoping to have an update out in the next week or two on what we're seeing.

David Moulton: And how has Palo Alto Networks collaborated with clients, and what updates have been made to the Unit 42 threat brief and the CVE security advisory?

Andy Piazza: Yeah, so we're, you know, we're obviously committed to, you know, transparent rapid sharing, and we've been on plenty of client calls as they've been working cases and sending in files for analysis. We obviously need to protect the data that belongs to our customers and but we've been frequently updating the both the advisory, the original security advisory for 3400 and the threat brief with any data we're able to share externally. We've kept those up to date. I mean, some of them, you know, every day or two with our understanding how the CVE works and what mitigations we have in place. Threat brief is kept up to date with our understanding of the exploitation and how to hunt for it as well.

David Moulton: Could you elaborate on the measures taken by Palo Alto Networks to support clients through the technical analysis and the development of a strategic intelligence picture, particularly regarding the attribution of midnight eclipse activity?

Andy Piazza: Yeah, absolutely. I'll say, you know, for the first two weeks of activity, our threat intel analysts have been heads down in the technical analysis to support clients, you know, identifying IOCs, right indicators, compromised and the tactics, techniques, procedures, TTPs, and then sharing those with our incident responders, our threat hunters and our product security and response team, PSIRT. The priority across Palo Alto Networks has been on supporting clients with that triage. We've had engineering building custom tools to help us with this triage, to help us quickly assess the technical support files and identify which have evidence of those higher levels of activity, right, based on those levels I mentioned we published in the threat brief. And then for the threat intel team, we have as we always support and prioritize instant response. We've recently been able to shift a few of our folks now to -- we're kind of, you know, three weeks into this activity. They're starting to look at that strategic picture, clustering TTPs, infrastructure analysis, and other types of kind of grouping and attribution analysis. But really, that priority is always going to be on what the clients are seeing right now first and how can we support and mitigate any activity. You know, the understanding of the strategic picture is important to us, but that is a lower priority than ensuring that clients are protected and getting the mitigations necessary. We've also received a lot of support from intel sharing partners on the types of activity they're seeing in our in their analysis, and that's been really, really beneficial in helping us in our response as well.

David Moulton: What steps are being taken to ensure the accuracy and reliability of the information being shared in the unit 42 threat brief and the CVE security advisory, especially as that new intel that you mentioned is coming in and the mitigations are identified?

Andy Piazza: So it's important to understand as we're working active instant response cases that the intelligence picture that we're putting out in the threat brief is what we know at the time, but that intelligence picture continues to evolve as we work additional cases and find it additional leads and get it to intelligence shared from partners and also from the insert response cases. So we've been updating the threat brief regularly as we pull in the new intelligence. We reassess our key assumptions based on that intel and then continue to develop the overall picture. So, for example, we recently updated threat brief to clarify the threat actors challenges with the Upstyle backdoor. We originally believed that was their means for persistence lateral movement, but a unit 42 analyst identified some of the challenges the actors had with their commands. They escalated for review and we were able to make some adjustments to the threat brief to clarify what we believe happened where they pivoted to that cron job doing the backdoor every minute, right? So to ensure that accuracy and reliability, we have a lot of experts within the company reviewing the threat brief and its updates. This includes both threat intelligence analysts working to understand exploitation and the insert responders who are on the ground with impacted customers. Plus, as we publish things, we're getting additional feedback from our intel sharing partners based off of what they're seeing in the activity, too.

David Moulton: Andy, as we wrap up here, what's the most important thing that a listener should remember from this conversation?

Andy Piazza: I think the most important thing is, as I said, if it's -- when a critical vulnerability comes out, especially when there's known exploitation, that should always be a priority for mitigations and patching, even more so when it's an edge device like a firewall or a VPN and some of the other kind of critical vulnerabilities we've seen on the perimeter over the last few years, those need to be prioritized. This is one of the hardest parts of the network to defend and that's the thing. You know, it's facing the Internet, some of the most dangerous scanning activity and, you know, kind of bad guy's eyes on. So really prioritizing, patching those devices and putting mitigations in place for them. It's really critical.

David Moulton: Andy, thanks for joining me today on Threat Factor to discuss the zero-day vulnerability and the midnight eclipse activity that you all have seen and been reporting on.

Andy Piazza: [Music] All right. Thank you for the opportunity to talk about what the team's been doing and just really put out the good work that they are doing, but also get this message out to clients that we're continuing to work through this and support them. So they should continue to work with their client reps and get the information over to us if they have any concerns, but really appreciate the opportunity and the support. [ Music ]

Unidentified Speaker: [Music] Palo Alto Networks is aware of targeted attacks exploiting this vulnerability. The attacks have been observed using various methods of exploit, including web requests to access created files, running commands to gather configuration files, attempting to install a Python-based backdoor called UpStyle, installing a Cronjob backdoor to receive commands from an external server. Proof of concepts for the vulnerability have now been publicly disclosed by third parties, and since we've observed a lot of internal scanning, testing, and some exploitation of the vulnerability. Palo Alto Networks has released hotfixes for affected PanOS versions. Customers are strongly advised to upgrade to a fixed version immediately. Additionally, Palo Alto Networks recommends the following mitigation strategies. Enable threat prevention and ensure relevant signatures are deployed. Monitor network traffic for suspicious activity. Reach out to Palo Alto Networks support if you believe your firewall has been compromised. For the most recent information from Uni42 on this topic, please read the threat brief at uni42.paloaltonetworks.com / cve-2024-3400. That's it for Threat Vector. I want to thank my executive producer, Michael Heller, our content production teams, which includes Shada Azimi, Sheila Drosky, Tanya Wilkins, and Danny Millred. I edit the show and Elliot Peltzman mixes the show. We'll be back in two weeks. Stay secure. Stay vigilant. Goodbye for now. [ Music ]