Palo Alto Zero-Day Exploited in Chinese State Hacking Campaign

Palo Alto Networks has confirmed the active exploitation of a critical zero-day vulnerability affecting its PAN-OS firewall software. The flaw, tracked as CVE-2024-3400 and rated critical with a CVSS score of 10.0, allows unauthenticated remote code execution through crafted requests to the management web interface. The vulnerability impacts PAN-OS versions 10.1, 10.2, and 11.0 when the GlobalProtect gateway feature is enabled. Security researchers at Palo Alto's Unit 42 team identified the vulnerability and released emergency patches addressing the issue across all affected versions.

The exploit campaign, detailed in a joint advisory by Palo Alto Networks, Mandiant, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), displays technical signatures consistent with UTA0218, a threat actor assessed with moderate-to-high confidence to be operating on behalf of the Chinese government. The attackers deployed a custom backdoor named GOPHANT, which establishes persistence through a scheduled task that executes commands every 60 seconds. The malware communicates with command-and-control servers using encrypted HTTP requests disguised as legitimate telemetry traffic to avoid detection.

According to Mandiant's threat intelligence analysis, the campaign has primarily targeted telecommunications providers, defense contractors, and government agencies across North America and Europe. The threat actors exploited the zero-day for at least six weeks before Palo Alto received reports of active exploitation on April 12, 2024. During this window, attackers compromised numerous organizations, exfiltrating sensitive communications data and network authentication credentials. Mandiant attributes the campaign to APT41, a Chinese state-sponsored group known for economic espionage and intellectual property theft operations.

Palo Alto Networks urges all customers running vulnerable PAN-OS versions to immediately apply the available patches or implement temporary mitigation measures, including disabling the GlobalProtect gateway if not required for business operations. CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate the flaw by May 3, 2024. Organizations unable to apply patches immediately should monitor for indicators of compromise, specifically searching for unusual scheduled tasks named 'GPHntyTask' and outbound connections to IP addresses associated with the GOPHANT infrastructure.