 Palo Alto Networks recently discovered a zero-day vulnerability that was being actively exploited in Pana West, the software that runs all of their next generation firewalls. Isn't that ironic? A security appliance that's normally used to protect enterprise networks from malicious traffic ended up being the entry point for it in a couple of breaches that have been disclosed so far. Now if we take a look at the advisory on Palo Alto Networks.com we can see that the bug is described as an OS command injection vulnerability in Global Protect. Now this Global Protect feature allows the security appliance to protect the traffic of its mobile users. We can see that some of the features that are included with Global Protect are a remote access VPN security mechanisms for organizations that have a bring-around device policy, URL filtering, advanced threat prevention, all of the things that you would want in an enterprise network that has a remote workforce. Now the severity of this bug is rated as a 10 out of 10 just like the command injection bug on Windows that rust and a number of other programming languages had or in the case of Java still has. And just like that bug that I demonstrated in MemorySafeRust, using a MemorySafe language would not have made any difference here. And I only point that out because some people seem to think that rust or other MemorySafe languages are a magic bullet, especially now that government agencies and the restation in chief have specifically endorsed the language or really the compiler in the case of rust for enforcing better safety in compiled code. But command injection is a whole other class of bug that can still carry some critical risk. And I feel like this is a much more legit 10 out of 10 severity command injection bug than the Windows exploit that we talked about last time because there's actually organizations that are using these security appliances in affected configurations that have already had breaches and I've got a feeling that we're going to hear about more in the future. Now real quick, if you are using a Palo Alto security appliance, the affected configurations are PanOS 10.2, 11.0, and 11.1 that are using the global protect feature and have device telemetry enabled. Now hot fixes are available for those affected versions, but if you're not able to install the fix right away, then it's recommended to just disable device telemetry to prevent the appliance from being exploited. Now we have some details from Vilexity about the threat actor who is aliased as UTA 0218 and how they were able to exploit some organization's firewalls and what they did after. Now based on the current timeline that we have from them, initial exploitation happened on March 26 and after compromising the firewall, the threat actors would download additional tools from remote servers in order to facilitate access to the victim's networks. One of those tools was a custom Python backdoor that Vilexity calls UpStyle. On the firewall, it would have the name Update.py and its main content was stored as a Base64 encoded blob. This is part of the decoded main loop of the backdoor. Now this backdoor allowed the attackers to put commands into the compromised firewall in a request to a non-existent web page. The specific command pattern would show up in the web server's error log which the backdoor would then look for in decode and then the output from the command would be appended to the firewall's bootstrap.min.css file and it would only stay there for 15 seconds for it to be read for the output of the command to be read and then both the bootstrap and the error log files are restored to cover up the backdoor's activity. And in another breach the attacker set up a persistent backdoor by continuously fetching and executing the contents of a file named patch which would check for the existence of a cron file named Update and then create it if it didn't exist and that would download a remote file named policy which it executes via bash every 60 seconds. So this policy file would get updated with whatever commands the attacker wanted to execute on the firewall like this is basically just their way of sending commands to it. And there were six different versions of the policy file that Vilexity observed. One contained a one-liner reverse shell that was written in Python. The second one cleaned up some CSS files that contained command output from previous attacks and then also exfiltrated the firewall's configuration file as a CSS file. So basically saved it as a CSS file and then the attack is able to download that from a remote server. Another policy file update removed the newly created CSS file that contained the firewall's configs. The fourth policy file was a failed attempt to download Ghost a simple tunnel written in Go. The fifth version of policy was a slightly modified version of the fourth one that successfully downloaded the Go tunnel. And finally the sixth policy file downloaded and executed an open source reverse shell called reverse SSH. Additional post exploitation behavior was observed after the attacker was able to pivot to the victim's internal networks via SMB and WinRM. Once the attackers reached the internal network they stole the Active Directory database, Windows event logs, login data, cookies and local state data from Chrome and Microsoft Edge for specific targets. The data that the attackers stole would allow them to effectively compromise the credentials for all of the victim's domain accounts and of course the stolen cookies and login data could allow compromise of various specific online accounts as well. And because this is a compromise of a firewall we could see vulnerable networks long into the future because unfortunately a lot of organizations just set and forget their firewalls. I mean maybe they'll make some changes as policies update but those could be very infrequently but most IT teams really wouldn't suspect the firewall itself to be a point of entry right because it's a security appliance. If anything we would expect attackers to just try and bypass our firewalls but as you can see here these devices can still be vulnerable and they're oftentimes on the edge of your network so they're actually much easier for someone to try and attack or at least for them to try and interact with them directly. So don't forget to assess the security of your security appliance as part of your network security policy and if you enjoyed this video please like and share it to hack the algorithm and check out my online store based.win where you can get awesome merch like the tie-dye tortilla or the Libre sleeveless shirt perfect for touching grass on a nice spring or summer day and of course you can save 10% off of all products on base.win when you pay in Monero XMR at checkout. Have a great rest of your day.