Operation MidnightEclipse
Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
During Operation MidnightEclipse, threat actors used |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
During Operation MidnightEclipse, threat actors piped output from stdout to bash for execution.[1][2] |
| Enterprise | T1584 | .003 | Compromise Infrastructure: Virtual Private Server |
During Operation MidnightEclipse, threat actors abused Virtual Private Servers to store malicious files.[1] |
| .006 | Compromise Infrastructure: Web Services |
During Operation MidnightEclipse, threat actors abused compromised AWS buckets to store files.[1] |
||
| Enterprise | T1005 | Data from Local System |
During Operation MidnightEclipse, threat actors stole saved cookies and login data from targeted systems.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
During Operation MidnightEclipse, threat actors copied files to the web application folder on compromised devices for exfiltration.[2] |
| Enterprise | T1190 | Exploit Public-Facing Application |
During Operation MidnightEclipse, threat actors exploited CVE-2024-3400 in Palo Alto Networks GlobalProtect.[1][2] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
During Operation MidnightEclipse, threat actors downloaded additional payloads on compromised devices.[1][2] |
|
| Enterprise | T1559 | Inter-Process Communication |
During Operation MidnightEclipse, threat actors wrote output to stdout then piped it to bash for execution.[1] |
|
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
During Operation MidnightEclipse, threat actors used the GO Simple Tunnel (GOST) reverse proxy tool.[1] |
| Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
During Operation MidnightEclipse, threat actors obtained active directory credentials via the NTDS.DIT file.[1] |
| Enterprise | T1090 | Proxy |
During Operation MidnightEclipse, threat actors used the GO Simple Tunnel reverse proxy tool.[1] |
|
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
During Operation MidnightEclipse, threat actors used SMB to pivot internally in victim networks.[1] |
| .006 | Remote Services: Windows Remote Management |
During Operation MidnightEclipse, threat actors used WinRM to move laterally in targeted networks.[1] |
||
| Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
During Operation MidnightEclipse, threat actors configured cron jobs to retrieve payloads from actor-controlled infrastructure.[1][2] |
| Enterprise | T1078 | Valid Accounts |
During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks.[1] |
|
| .002 | Domain Accounts |
During Operation MidnightEclipse, threat actors used a compromised domain admin account to move laterally.[1] |
||
Software
| ID | Name | Description |
|---|---|---|
| S1164 | UPSTYLE |
During Operation MidnightEclipse, threat actors made multiple attempts to install UPSTYLE[1][2] |