Leverage NetFlow to Combat Operation MidnightEclipse and UPSTYLE!

Leverage NetFlow to Combat Operation MidnightEclipse and UPSTYLE!

By: Rob Cowart

April 15, 2024

The discovery of a critical zero-day flaw in Palo Alto Networks' PAN-OS software, given the name “Operation MidnightEclipse” and identified as CVE-2024-3400, has sent shockwaves through the cybersecurity community, catalyzing urgent action across the cybersecurity landscape. Malicious actors have already exploited this flaw, successfully breaching organizations’ perimeter defenses.

Cybersecurity firm Volexity stated, "The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives."

This demands a steadfast response - specifically, the strategic utilization of NetFlow data delivers precise visibility into network traffic and stands as an indispensable tool for identifying and neutralizing threats once traditional defenses fall short.

Cracking the Code of the Attack

The perpetrator, assigned the moniker UTA0218 by Volexity, leveraged CVE-2024-3400 to execute arbitrary code with root access on compromised firewalls. This sophisticated attack involved establishing a cron job to pull commands from an external server and execute them through the bash shell. To compound the intrusion, a Python-based backdoor named UPSTYLE was deployed, facilitating further malicious exploits like lateral movements, data theft, and credential harvesting.

Unleashing NetFlow to Track Down Malicious Actors

Post-breach scenarios, especially those involving compromised PAN-OS, call for the strategic deployment of NetFlow data. This data, spawned by routers and switches, meticulously records source, destination, timing, and volume of network traffic. Combined with a comprehensive NetFlow analytics solution, security teams gain a potent means to detect abnormal activity that indicates a breach and to trace the lateral movements of threat actors within a network. Here’s the battle plan with NetFlow:

Spot Anomalous Traffic Patterns: Operation Midnight exploits the PAN-OS flaw to create a cron job that fetches commands hosted on "172.233.228.93", which are executed using the bash shell. NetFlow analytics can shine a light on abnormal or “rare” traffic patterns that scream compromise. Security teams are able to quickly catch these red flags and identify compromised systems.

Expose Command and Control Communications: The commands executed are suspected to download a Python-based backdoor (UPSTYLE) on the firewall, which is hosted on 144.172.79.92. The Python file is designed to write and launch another Python script, which subsequently decodes and runs the embedded backdoor component responsible for executing the threat actor's commands. Fully decoded and enriched NetFlow Data allows security teams to cut through the noise and pinpoint traffic that could be part of such a Command and Control (C2) setup.

Map the Enemy’s Movements: Post-breach, attackers often navigate laterally across the network. Cybersecurity firm Volexity said it observed the threat actor remotely exploiting the firewall to create a reverse shell, download additional tooling, pivot into internal networks, and ultimately exfiltrate data. NetFlow data is crucial to charting these movements, revealing traffic between internal devices and exposing compromised hosts.

Dig into Historical Traffic for Clues: Threat actors have been exploiting the newly disclosed zero-day PAN-OS flaw since at least March 26, 2024, nearly three weeks before it was first discovered. A NetFlow collection solution must be capable of storing data over time. This is key to understanding when and how the breach unfolded and pinpointing traffic pattern changes tied to the attack timeline.

When using ElastiFlow a simple query can be run across historical NetFlow data to quickly identify if and when an organization may have been compromised with Operation MidnightEclipse and UPSTYLE:

172.233.228.93 OR 144.172.79.92

Forensic Investigation and Attribution: The logging of network communications provides the detailed, timestamped evidence necessary for forensic investigations. This data is instrumental in attributing breaches to specific threat actors, comparing network activities against known malicious IPs, domain names, or other indicators of compromise.

Deploy NetFlow for Maximum Defense

To truly leverage NetFlow data for robust security monitoring, organizations must:

  • Activate NetFlow on all network devices for comprehensive visibility.

  • Avoid packet “sampling” to capture the full forensic value of traffic records.

  • Choose a NetFlow collector like ElastiFlow, capable of managing vast volumes of unsampled NetFlow data and retaining it for significant periods.

  • Integrate ElastiFlow with other security tools like SIEMs for enhanced threat detection through data correlation.

  • Regularly audit and review NetFlow data to sharpen detection tactics and stay one step ahead of emerging threats.

Start Leveraging ElastiFlow Now… And Fortify Your Night’s Rest!

Given the aggressive nature of cyber threats and the recent Palo Alto Networks zero-day debacle, incorporating NetFlow collection and advanced analytics capabilities into security operations is non-negotiable. Adopt a multi-layered cybersecurity approach that transcends traditional perimeter defenses. By integrating ElastiFlow’s cutting-edge NetFlow analytics into your threat detection and response arsenal, you position your organization to not just survive but thrive against sophisticated cyber adversaries.

Update June 2024: Since publishing this post, ElastiFlow has launched NetIntel, a product that enhances and enriches flow data with significantly more threat intelligence information.

Stay connected

Sign up to stay connected and receive the latest content and updates from us!