A new wave of cyberattacks has been reported, leveraging a critical zero-day vulnerability in Palo Alto Networks’ firewall software, PAN-OS. The flaw, identified as CVE-2024-3400 and assigned a maximum CVSS score of 10.0, enables unauthenticated attackers to execute arbitrary code with root privileges, significantly compromising the security of affected systems.
Researchers from Akamai have observed that the RedTail cryptomining malware is exploiting this vulnerability. The malware is notably sophisticated, exhibiting a deep understanding of cryptomining operations. Unlike typical cryptomining software that uses public mining pools, RedTail’s operators have established private mining pools or proxies. This approach allows for greater control over mining outcomes despite the higher operational and financial costs involved.
Updated Tools and Techniques: The latest version of RedTail, active since late April, includes several updated tools:
Encrypted Mining Configuration: This adds a layer of security and obfuscation to the malware's operations.
Self-Process Debugging: A tactic to evade analysis and hinder detection.
Cron Job Integration: Ensures persistence by automatically restarting the malware after the system reboots.
Usage of RandomX Algorithm: Boosts mining efficiency.
Alteration of System Configuration: Employs hugepages to optimize memory usage and performance.
Akamai's security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik reported, "There are many glossy cryptominers out there, but seeing one with this level of polish is uncommon. The investments required to run a private cryptomining operation are significant, including staffing, infrastructure, and obfuscation. This sophistication may be indicative of a nation-state–sponsored attack group. For any business, there is ongoing testing and evolution to ensure that the product (in this case, malware) is successful, which is unlikely to be done without some type of substantial financial backing. The malware was likely quite profitable if it garnered this degree of attention from a sophisticated group.”
It Is Not Done Yet
The threat actors behind RedTail are not solely dependent on the PAN-OS vulnerability. They also exploit various other vulnerabilities across different platforms and devices, including SSL-VPNs, IoT devices, web applications, and security appliances like Ivanti Connect Secure.
What You Can Do?
In response to this threat, Akamai advises using the Akamai App & API Protector for enhanced security measures. Organizations should identify and patch all vulnerable Palo Alto devices to mitigate the risk posed by the CVE-2024-3400 flaw. Hardening devices against various types of cyberattacks, including web platform attacks, command injections, and local file inclusion, is recommended.
