HomeMalware & ThreatsPalo Alto Firewalls Compromised by Alleged Chinese Hackers

Palo Alto Firewalls Compromised by Alleged Chinese Hackers

Published on

spot_img

Hackers have recently targeted a vulnerability in Palo Alto firewalls, exploiting it to install a custom malware backdoor for espionage purposes. This suspected Chinese hacking campaign has raised concerns among cybersecurity experts who are closely monitoring the situation.

The malware backdoor, identified as a variant of Littlelamb.Wooltea, is believed to be linked to a Chinese hacking group known as UNC5325. According to researchers from cybersecurity firm Northwave, this campaign began shortly after Palo Alto revealed a medium-severity privilege escalation flaw, tracked as CVE-2024-9474, affecting its PAN-OS software.

The flaw, which allows threat actors to run actions on the firewall with root privileges, was exploited by hackers to download a file called “bwmupdate” that installs the malware backdoor disguised as a “logd” file. The variant comes equipped with 30 commands that enable core functionalities and advanced stealth capabilities.

The malware’s capabilities include reading and writing files, establishing network tunnels, facilitating shell connections, and setting up a SOCKS5 proxy to coordinate multiple listening ports and track outgoing connections. In addition to the malware backdoor, threat actors have deployed additional payloads to retrieve content from external servers or repositories.

Security firm Darktrace reported earlier this month that threat actors exploiting the vulnerability have used multiple nodes to manage network connections, sending messages to establish network handshakes, track lost connections, and listen to nodes. Palo Alto acknowledged that hackers also exploited another vulnerability, CVE-2024-0012, in addition to CVE-2024-9474, and has since patched both flaws.

The company has advised system administrators to restrict access to the web management portal to trusted IP addresses only. While Palo Alto claims that the attacks only impacted a small number of PAN-OS devices, researchers estimate that these devices number in the thousands.

Details about the UNC5325 group remain limited, but it has been identified as a China-linked threat actor. In a similar hacking campaign, the group exploited a zero-day Ivanti Connect Secure VPN vulnerability to install a backdoor. A report by Fortinet also revealed a suspected Chinese campaign that exploited two n-days in Fortinet firewalls.

UNC5325’s activities align with China’s strategy of targeting edge devices, a tactic also adopted by other China-linked actors such as UNC3886 and UNC4841. These groups have been known to deploy similar tactics, highlighting the growing concern over state-sponsored cyber activities.

Overall, the recent wave of cyber attacks targeting Palo Alto firewalls underscores the evolving threat landscape and the need for organizations to remain vigilant against sophisticated hacking campaigns. Experts urge businesses to prioritize cybersecurity measures to defend against nation-state attacks and safeguard sensitive information from malicious actors.

Source link

Latest articles

Digital and Cybersecurity Governance for Boards in 2025

In the year 2024, significant strides were made in digital, cybersecurity, and systemic risk...

Hacking the hackers: Russian group takes over Iranian spying operation, officials reveal – Reuters.com

In a recent turn of events, officials have revealed that a Russian hacking group...

Urgent Patch Needed for Critical Meeting Management Bug

In recent news, Cisco has addressed a critical vulnerability in its Cisco Meeting Management...

Subaru’s STARLINK Connected Car Vulnerability Allows Attackers to Gain Restricted Access

Cybersecurity researchers Shubham Shah and a colleague made an astonishing discovery on November 20,...

More like this

Digital and Cybersecurity Governance for Boards in 2025

In the year 2024, significant strides were made in digital, cybersecurity, and systemic risk...

Hacking the hackers: Russian group takes over Iranian spying operation, officials reveal – Reuters.com

In a recent turn of events, officials have revealed that a Russian hacking group...

Urgent Patch Needed for Critical Meeting Management Bug

In recent news, Cisco has addressed a critical vulnerability in its Cisco Meeting Management...