Palo Alto Network earlier this month has patched a critical vulnerability, CVE-2024-3400, allows attackers to gain remote control of vulnerable firewalls, leading to fears of widespread data breaches and system disruptions.
The vulnerability stems from the manipulation of the “SESSID” cookie in PAN-OS, which inadvertently permits the creation of files with root-level access during each session. Attackers exploit this flaw to run malicious code through bash script manipulations, without requiring any special privileges or user interaction.
A working proof-of-concept (PoC) code released, and active exploitation attempts have been seen in wild. Attackers aimed at installing the XMRig cryptocurrency mining malware using this vulnerability.
The exploitation chain began by delivering a malicious bash script, ldr.sh, onto the compromised firewall. This script would disable security services and remove any existing malware, clearing the path for the installation of XMRig malware from a known malicious server. Further, the attackers attempted to spread the malware across other accessible hosts via SSH configurations and ensured their stealth by deleting logs post-exploitation.
Upon successful exploitation, the XMRig malware, known for its use in cryptocurrency mining operations, is downloaded and executed. This malware, written in Golang, shows compatibility with both Linux and Windows platforms.
While the immediate impact revolves around unauthorized cryptocurrency mining, security experts warn that XMRig is often just the start. Threat actors leverage control of a firewall to infiltrate a network, deploy more dangerous malware, and steal sensitive company data.
Organizations relying on Palo Alto firewalls are strongly urged to apply available patches immediately. If unsure of the process, IT administrators should contact Palo Alto Networks support for guidance.
Also, the US CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities Catalog. It’s a clear indication that attackers are actively compromising businesses using this flaw.
