Skip to content
· 5 min read CRITICAL CVE-2024-3400 @Sdmrf

Operation MidnightEclipse: When Your Firewall Becomes the Attacker's Foothold

Tracking a campaign that compromised hundreds of Palo Alto devices through CVE-2024-3400. This one got ugly fast.

#palo-alto #apt #firewall #cve #nation-state
On this page

Remember when Palo Alto dropped that emergency advisory in April 2024? CVE-2024-3400, command injection in GlobalProtect, CVSS 10.0?

We now know a lot more about what happened. It wasn’t just mass exploitation by criminals - there was a coordinated campaign that got into some interesting places before anyone knew there was a problem.

Here’s what we’ve pieced together.

The Vulnerability

Quick recap: CVE-2024-3400 was a command injection in PAN-OS GlobalProtect. An unauthenticated attacker could send a crafted request and execute arbitrary commands as root.

Affected: PAN-OS 10.2, 11.0, and 11.1 with GlobalProtect gateway or portal enabled.

That’s a lot of devices.

The Timeline

March 26, 2024: Volexity discovers exploitation during an incident response. Contacts Palo Alto.

March 26 - April 10: Palo Alto develops patches while exploitation continues in the wild.

April 10: Emergency advisory published. Limited details initially.

April 11: Patches start rolling out.

April 12: PoC code appears publicly. Mass exploitation begins.

April-May: Cleanup and incident response across thousands of organizations.

Notice anything? There was a roughly 2-week window where the vulnerability was being exploited before defenders knew about it. That’s the zero-day window that got people hurt.

Who Got In Early

The early exploitation (before public disclosure) was different from the mass scanning that came after.

Based on reporting from Volexity, Unit 42, and others:

UTA0218 - The threat actor present before disclosure. Characteristics:

  • Surgical targeting (specific organizations, not mass scanning)
  • Custom implant deployment (UPSTYLE backdoor)
  • Credential harvesting focus
  • Lateral movement into internal networks
  • Data exfiltration

This wasn’t opportunistic. Someone knew about the vulnerability, had exploits ready, and was using it for targeted access.

Later reporting suggested links to Chinese state-sponsored activity. Makes sense given the targeting and sophistication.

The UPSTYLE Implant

The custom backdoor deployed was interesting:

  • Python-based
  • Used the device’s legitimate logging mechanism for persistence
  • Communicated via HTTPS to attacker infrastructure
  • Could execute commands, transfer files
  • Survived reboots but not firmware upgrades

It was designed specifically for PAN-OS. Someone did their homework.

What Made This Worse

1. Telemetry Blindness

Firewalls don’t typically have EDR agents. Most organizations had no visibility into what was happening on the device itself.

The compromise happened. Data was exfiltrated. And nobody knew until weeks later when Volexity found it during an unrelated investigation.

2. Trusted Position

The firewall sees everything. Every connection in and out. Once compromised, attackers could:

  • Monitor all network traffic
  • Capture credentials in transit
  • Identify interesting internal targets
  • Understand network architecture

It’s the perfect reconnaissance platform.

3. Slow Patching

Even after the advisory, patching took time. Firewalls are critical infrastructure - you can’t just reboot them during business hours at most organizations.

Every day of delay was another day of exposure.

An Organization I Worked With

Can’t give specifics, but one org I helped had a bad experience with this.

How they found out: Their SOC noticed unusual data transfers from an internal file server. Investigation traced it back to access originating from… their own firewall’s management network.

What happened:

  • Attacker exploited the vuln around April 5th (before disclosure)
  • Deployed UPSTYLE variant
  • Used firewall access to pivot to internal network
  • Compromised service account with broad access
  • Exfiltrated data from file shares over 4 days
  • Noticed on April 11th (day after advisory)

Damage:

  • ~50GB of sensitive documents exfiltrated
  • Full network reconnaissance captured
  • Several credentials compromised
  • Mandatory breach disclosure

The attacker was in and out before anyone knew the vulnerability existed.

Lessons

This isn’t the first firewall zero-day. Won’t be the last. Some takeaways:

1. Perimeter Devices Are High-Value Targets

Nation-states invest in firewall exploits because the payoff is huge. Expect more zero-days in:

  • Firewalls
  • VPN appliances
  • Email gateways
  • Any internet-facing infrastructure

2. Detection Must Exist Beyond Endpoints

If your only detection is EDR, you’re blind to this entire attack chain until they touch an endpoint.

Need:

  • Network traffic analysis
  • Firewall log analysis (ironically)
  • Unusual outbound connection detection
  • File server access monitoring

3. Patching Speed Matters

The difference between “patched April 11” and “patched April 18” was meaningful. Organizations that moved fast had less exposure.

Have processes for emergency patching of critical infrastructure.

4. Network Segmentation Helps

The firewall being compromised shouldn’t mean everything is compromised. Segment your networks. Limit what even the firewall can access.

5. Prepare for Zero-Days

You can’t patch what you don’t know about. But you can:

  • Limit exposure (do you really need GlobalProtect on the internet?)
  • Monitor for anomalies
  • Have incident response plans
  • Assume breach and design accordingly

Current Status

Months later, we’re still finding organizations that:

  • Never patched
  • Patched but didn’t investigate whether they were compromised
  • Were compromised and don’t know it

If you have Palo Alto devices:

  1. Confirm you’re on a patched version
  2. Review logs from March-April 2024 for indicators
  3. Check for unexpected configuration changes or files
  4. Consider threat hunting engagement if high-value target

The campaign is “over” but the access gained may still be in use.

The Meta-Problem

Every year: critical vuln in [Fortinet/Palo Alto/Cisco/Ivanti], mass exploitation, emergency patching.

The security industry’s answer to “how do we protect the network” increasingly depends on devices that themselves become the attack vector.

Zero Trust architectures that minimize reliance on perimeter devices are looking more attractive. Not because they’re perfect, but because they reduce the “firewall zero-day = game over” scenario.

Food for thought as you plan your next architecture refresh.

The device you trust to protect your network is also the device with the most attractive attack surface. Design accordingly.

Related Articles

high·7 min read

WinRAR's Six-Month-Old Bug Is a Favorite of Russian APTs, Chinese Espionage, and Brazilian Banking Trojans

CVE-2025-8088 is a path traversal flaw in WinRAR patched last July. Six months later, Sandworm, Turla, Gamaredon, RomCom, and financially motivated groups are still using it.

critical·6 min read

FortiGate Auth Bypass: We're Doing This Again

CVE-2024-55591 joins the long list of Fortinet vulnerabilities being mass-exploited. Notes from triaging this with clients.

critical·6 min read

MediSecure Breach: 13 Million Patient Records and a Ransomware Gang's Payday

Breaking down the MediSecure breach - how attackers compromised a prescription delivery service and walked away with one of Australia's largest healthcare data thefts.