Palo Alto Networks Discovers Critical Firewall Vulnerabilities
/ 4 min read
Quick take - On November 18, 2024, Palo Alto Networks announced two critical vulnerabilities in their firewall operating system, which were subsequently linked to targeted intrusions detected by Arctic Wolf Labs, prompting discussions on the use of JA4H fingerprints for threat detection and the challenges posed by unencrypted malware traffic.
Fast Facts
- Vulnerabilities Discovered: Palo Alto Networks announced two critical vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in their firewall OS on November 18, 2024, with potential for remote code execution.
- Intrusions Detected: Arctic Wolf Labs reported intrusions targeting Palo Alto Networks devices shortly after the vulnerabilities were disclosed, identifying specific Indicators of Compromise (IoCs) linked to malicious activity.
- JA4H Fingerprints: A blog post by John Althouse detailed JA4H fingerprints used to analyze HTTP requests, including a structured approach to detect malicious activity through various request components.
- C2 Server Identification: Two additional command and control (C2) servers were identified, both operating on TCP port 31337, highlighting the detection of malicious activity clusters through JA4H fingerprints.
- Detection Challenges: The article discusses the ongoing cat-and-mouse game in detection engineering, emphasizing the challenges posed by unencrypted traffic and the need for robust detection signatures using the JA4 suite.
Palo Alto Networks Discovers Critical Vulnerabilities
On November 18, 2024, Palo Alto Networks announced the discovery of two critical vulnerabilities in their firewall operating system. These vulnerabilities have been designated as CVE-2024-0012 and CVE-2024-9474.
Exploitation and Detection
Following this announcement, a report by watchTowr was released on November 19, detailing how these vulnerabilities could be exploited. It highlighted the potential for attackers to achieve remote code execution. Shortly after the vulnerabilities were disclosed, Arctic Wolf Labs detected intrusions targeting devices from Palo Alto Networks. Their findings were published on November 22, 2024.
John Althouse from FoxIO reported on several Indicators of Compromise (IoCs) identified by Arctic Wolf. These IoCs could be linked to a specific JA4H fingerprint associated with the malicious activity. The blog post authored by Althouse elaborated on the JA4H fingerprint and introduced two additional JA4H fingerprints related to the same activity cluster. A more generalized JA4H fingerprint was also identified, capable of detecting similar activities while maintaining an acceptable false positive rate.
Understanding JA4H Fingerprints
JA4H fingerprints are designed to analyze HTTP requests, examining various components, including request methods, headers, cookies, and other variables. The structure of a JA4H fingerprint consists of four parts:
- Part _a: Focuses on high-level attributes such as the HTTP method, version, presence of cookies, referrer headers, and the count of headers.
- Part _b: Details specific headers in the requests, excluding cookies and referrer.
- Part _c: Serves as a fingerprint for cookie fields, which vary by website.
- Part _d: Combines both the cookie fields and their respective values.
This structured approach allows for dynamic detection and threat hunting, with specificity increasing from part _a to part _d. The blog post includes a detailed breakdown of a specific JA4H fingerprint, illustrating its role in revealing underlying HTTP requests. Reproducing the last three parts of the fingerprint can be complex due to their non-human-readable nature. To effectively reproduce parts _b and _c, understanding the headers set by the malware is essential.
Challenges and Opportunities in Detection
Arctic Wolf confirmed that the malware involved in the incident set five specific headers used when communicating with its command and control (C2) server. A CyberChef recipe was shared to assist in reproducing the JA4H_b fingerprint, while the JA4H_c fingerprint was derived from the cookie set by the malware.
The detection of open-source C2 frameworks, such as Sliver, presents unique opportunities due to their default configurations. The blog post emphasized the capability of pivoting from a single JA4H fingerprint, allowing for the identification of additional C2 servers and victims within the same activity cluster. Two additional C2 servers were identified, both operating on TCP port 31337 around the time the vulnerabilities were exploited. Notably, the SSL certificate issuer and subject values for these newly identified C2 servers were documented.
The ability to detect malicious “fingerprint neighbors” through variations in JA4H fingerprints is considered a significant advantage of the JA4 suite. The article reflects on the tendency of threat actors to utilize default C2 configurations, which can lead to further detection opportunities. Despite the implementation of anti-detection features, their effectiveness largely depends on how operators execute these measures. The ongoing challenge of detection engineering is framed as a cat-and-mouse game between adversaries and defenders. The JA4 suite is presented as a versatile tool for creating robust detection signatures, while the continued reliance on unencrypted traffic within malware frameworks poses challenges for organizations in logging netflow data comprehensively. The lack of visibility into this traffic can provide adversaries with a strategic advantage.
Original Source: Read the Full Article Here
