Operation MidnightEclipse
Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | DuringOperation MidnightEclipse, threat actors used |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter:Unix Shell | DuringOperation MidnightEclipse, threat actors piped output from stdout to bash for execution.[1][2] |
| Enterprise | T1584 | .003 | Compromise Infrastructure:Virtual Private Server | DuringOperation MidnightEclipse, threat actors abused Virtual Private Servers to store malicious files.[1] |
| .006 | Compromise Infrastructure:Web Services | DuringOperation MidnightEclipse, threat actors abused compromised AWS buckets to store files.[1] | ||
| Enterprise | T1005 | Data from Local System | DuringOperation MidnightEclipse, threat actors stole saved cookies and login data from targeted systems.[1] | |
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | DuringOperation MidnightEclipse, threat actors copied files to the web application folder on compromised devices for exfiltration.[2] |
| Enterprise | T1190 | Exploit Public-Facing Application | DuringOperation MidnightEclipse, threat actors exploited CVE-2024-3400 in Palo Alto Networks GlobalProtect.[1][2] | |
| Enterprise | T1105 | Ingress Tool Transfer | DuringOperation MidnightEclipse, threat actors downloaded additional payloads on compromised devices.[1][2] | |
| Enterprise | T1559 | Inter-Process Communication | DuringOperation MidnightEclipse, threat actors wrote output to stdout then piped it to bash for execution.[1] | |
| Enterprise | T1588 | .002 | Obtain Capabilities:Tool | DuringOperation MidnightEclipse, threat actors used the GO Simple Tunnel (GOST) reverse proxy tool.[1] |
| Enterprise | T1003 | .003 | OS Credential Dumping:NTDS | DuringOperation MidnightEclipse, threat actors obtained active directory credentials via the NTDS.DIT file.[1] |
| Enterprise | T1090 | Proxy | DuringOperation MidnightEclipse, threat actors used the GO Simple Tunnel reverse proxy tool.[1] | |
| Enterprise | T1021 | .002 | Remote Services:SMB/Windows Admin Shares | DuringOperation MidnightEclipse, threat actors used SMB to pivot internally in victim networks.[1] |
| .006 | Remote Services:Windows Remote Management | DuringOperation MidnightEclipse, threat actors used WinRM to move laterally in targeted networks.[1] | ||
| Enterprise | T1053 | .003 | Scheduled Task/Job:Cron | DuringOperation MidnightEclipse, threat actors configured cron jobs to retrieve payloads from actor-controlled infrastructure.[1][2] |
| Enterprise | T1078 | Valid Accounts | DuringOperation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks.[1] | |
| .002 | Domain Accounts | DuringOperation MidnightEclipse, threat actors used a compromised domain admin account to move laterally.[1] | ||
Software
| ID | Name | Description |
|---|---|---|
| S1164 | UPSTYLE | DuringOperation MidnightEclipse, threat actors made multiple attempts to installUPSTYLE[1][2] |