RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit
Contents
Editorial and additional commentary by Tricia Howard
Customers with Akamai App & API Protector can detect and deny attempts by configuring the Web Platform Attack, Command Injection, and Local File Inclusion group action to “Deny” to enhance protection.
Executive summary
Expanded arsenal: Threat actors behind the RedTail cryptomining malware, initially reported in early 2024, have incorporated the recent Palo Alto PAN-OS CVE-2024-3400 vulnerability into their toolkit.
Private cryptomining pools: The attackers have taken a step forward by employing private cryptomining pools for greater control over mining outcomes despite the increased operational and financial costs. This mirrors tactics used by the Lazarus group, leading to speculation about attack attribution.
Advanced techniques: The new variant of RedTail now includes antiresearch techniques that were not previously observed.
Multiple exploits: The malware spreads by using at least six different web exploits, targeting Internet of Things (IoT) devices (such as TP-Link routers), web applications (including the China-origin content management system ThinkPHP), …
Customers with Akamai App & API Protector can detect and deny attempts by configuring the Web Platform Attack, Command Injection, and Local File Inclusion group action to “Deny” to enhance protection.
Executive summary
Expanded arsenal: Threat actors behind the RedTail cryptomining malware, initially reported in early 2024, have incorporated the recent Palo Alto PAN-OS CVE-2024-3400 vulnerability into their toolkit.
Private cryptomining pools: The attackers have taken a step forward by employing private cryptomining pools for greater control over mining outcomes despite the increased operational and financial costs. This mirrors tactics used by the Lazarus group, leading to speculation about attack attribution.
Advanced techniques: The new variant of RedTail now includes antiresearch techniques that were not previously observed.
Multiple exploits: The malware spreads by using at least six different web exploits, targeting Internet of Things (IoT) devices (such as TP-Link routers), web applications (including the China-origin content management system ThinkPHP), …
IoC
185.216.70.138
192.18.157.251
193.222.96.163
34.127.194.11
68.170.165.36
78.153.140.51
79.110.62.25
92.118.39.120
94.156.79.129
94.156.79.60
94.74.75.19
192.18.157.251
193.222.96.163
34.127.194.11
68.170.165.36
78.153.140.51
79.110.62.25
92.118.39.120
94.156.79.129
94.156.79.60
94.74.75.19