RedTail cryptomining malware exploits new Palo Alto flaw

Threat actors behind the RedTail cryptomining malware have significantly expanded their capabilities by incorporating a newly discovered vulnerability in Palo Alto's PAN-OS. Initially reported in early 2024, the RedTail group has begun exploiting the CVE-2024-3400 vulnerability to boost their operations.

The CVE-2024-3400 vulnerability, identified in Palo Alto’s PAN-OS, allows attackers to create an arbitrary file, which can lead to command execution with root user privileges. By manipulating the SESSID cookie, attackers can exploit the system's file creation method to gain undue access. Although critical, the Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

In a move to enhance their cryptomining outcomes, the threat actors have established private cryptomining pools. Although more costly, this approach provides them with greater control over the mining process. This tactic is similar to those used by the notorious Lazarus group, prompting speculations about the possible attribution of these attacks to the same actors.

The updated variant of the RedTail malware includes several advanced techniques designed to thwart research and analysis efforts. The malware version now detected spreads through at least six different web exploits, targeting a variety of devices and applications, including TP-Link routers, the ThinkPHP content management system, SSL-VPNs, and security devices like Ivanti Connect Secure and Palo Alto’s GlobalProtect.

The malware servers responsible for disseminating this variant were highly active from early April through the beginning of May 2024, with PAN-OS exploitation observed from April 21 onwards. The malware delivery infrastructure is robust, relying on multiple unrelated servers hosted by legitimate companies, complicating shut-down efforts.

Deconstructing the downloaded binary file confirmed cryptomining suspicions. The binary was identified as a packed version of XMRig, an open-source Monero cryptocurrency miner. Significant differences were noted in this variant, notably the inclusion of encrypted configuration files and miner configurations that are decrypted post-execution for operation. The absence of a wallet address in the miner’s configuration suggests the use of private mining pools rather than public ones, indicating a more sophisticated operation.

The configuration analysis showed efforts to optimise mining operations, including the use of the RandomX algorithm and the ‘hugepages’ configuration, which enhances performance. Advanced evasion and persistence techniques are also a part of this malware, including self-forking to hinder debugging and adding cron jobs to maintain persistence.

An examination revealed the RedTail group’s use of multiple CVEs, including the recent Ivanti Connect Secure SSL-VPN vulnerabilities (CVE-2023-46805 and CVE-2024-21887). They also exploited older vulnerabilities such as TP-Link Router CVE-2023-1389, VMWare Workspace ONE Access vulnerability CVE-2022-22954, and ThinkPHP remote code execution vulnerabilities. Notably, no exploitation of the famous Log4Shell vulnerability was observed in this campaign, a departure from previous activities of the RedTail group.

The campaign’s activity underscores the need for immediate patching and the implementation of robust security measures. Given their criticality, IT teams are expected to promptly identify and patch Palo Alto devices, especially against this high-severity vulnerability.