A suspected Chinese hacking group, identified as UNC5325, has exploited vulnerabilities in Palo Alto Networks firewalls to deploy a custom malware backdoor variant named Littlelamb.Wooltea. This campaign began in November 2024, shortly after Palo Alto disclosed a medium-severity privilege escalation vulnerability (CVE-2024-9474) in its PAN-OS software. The flaw allows attackers to execute actions with root privileges, making it a valuable entry point for cyberespionage operations. Researchers from Northwave discovered that the attackers downloaded a malicious file, bwmupdate, which disguised itself as a legitimate logd file to evade detection.
The malware backdoor installed by UNC5325 comes with advanced capabilities, including reading and writing files, establishing network tunnels, and setting up SOCKS5 proxies to manage multiple outgoing connections. Additionally, it facilitates shell access and uses multiple nodes to handle network communication, ensuring resilience and persistence. The malware also employs sophisticated techniques to track lost connections and maintain control across compromised systems. Security firm Darktrace further revealed that attackers deployed additional payloads to retrieve content from external servers, suggesting a broader strategy beyond initial access.
Palo Alto Networks addressed CVE-2024-9474 and a related vulnerability, CVE-2024-0012, with patches and urged administrators to restrict access to their web management portals to trusted IP addresses only. Despite Palo Alto’s assurances that only a “small number of devices” were impacted, researchers estimate the number of affected systems could be in the thousands. The exploitation highlights ongoing threats to network edge devices, which are often prime targets for advanced persistent threat (APT) groups due to their critical role in securing organizational infrastructure.
UNC5325’s tactics align with broader strategies observed in other China-linked hacking campaigns, such as those executed by UNC3886 and UNC4841, which similarly focus on exploiting vulnerabilities in edge devices. These incidents emphasize the urgent need for organizations to prioritize timely patch management, network segmentation, and continuous monitoring of critical systems. As cyber threats continue to evolve, addressing vulnerabilities in widely deployed infrastructure like Palo Alto firewalls remains essential to prevent further breaches.
Reference:
