RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit

May 31, 2024, 2:03 p.m.

Description

Threat actors behind the RedTail cryptomining malware, initially reported in early 2024, have incorporated the recent Palo Alto PAN-OS CVE-2024-3400 vulnerability into their toolkit. The malware spreads by using at least six different web exploits, targeting Internet of Things (IoT) devices (such as TP-Link routers), web applications (including the China-origin content management system ThinkPHP), SSL-VPNs, and security devices like Ivanti Connect Secure and Palo Alto GlobalProtect.

External References

https://www.akamai.com/blog/security-research/2024/may/2024-redtail-cryptominer-pan-os-cve-exploit
https://otx.alienvault.com/pulse/6659d37c3ff8eac1818062b6
Tags
cryptominer
2024-05-31
ssl-vpns

Date

  • Created: May 31, 2024, 1:41 p.m.
  • Published: May 31, 2024, 1:41 p.m.
  • Modified: May 31, 2024, 2:03 p.m.

Indicators

  • 94.74.75.19
  • 78.153.140.51
  • 94.156.79.129
  • 68.170.165.36
  • 34.127.194.11
  • 185.216.70.138
  • 94.156.79.60
  • 193.222.96.163
  • 79.110.62.25
  • proxies.identitynetwork.top
Download all indicators here!

Attack Patterns

  • RedTail
  • Trojan:Win64/XMRigMiner

Linked vulnerabilities

CVE-2023-46805

None
Published:

CVE-2024-21887

None
Published:

CVE-2024-3400

None
Published: