The crypto-mining malware RedTail has recently added a security vulnerability in Palo Alto Networks firewalls to its arsenal, according to a technical report shared by web infrastructure and security company Akamai. This vulnerability in PAN-OS, identified as CVE-2024-3400 and with a CVSS score of 10.0, allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall, and has already been patched. RedTail has not only integrated this new vulnerability into its repertoire but has also updated its malware with advanced anti-analysis techniques. Akamai researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik highlighted that attackers have taken a step forward by employing private crypto-mining pools, which gives them greater control over mining results despite increased operational and financial costs. The discovered infection sequence begins with the exploitation of the vulnerability in PAN-OS, followed by the execution of commands to retrieve and run a bash shell script from an external domain, responsible for downloading the RedTail payload depending on the CPU architecture. In addition to the PAN-OS vulnerability, RedTail spreads by exploiting other known security flaws in various devices and software, such as:
- TP-Link routers (CVE-2023-1389)
- ThinkPHP (CVE-2018-20062)
- Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887)
- VMware Workspace ONE Access and Identity Manager (CVE-2022-22954)
RedTail was first documented in January 2024 by researcher Patryk Machia, in a campaign that exploited the Log4Shell vulnerability (CVE-2021-44228) to deploy malware on Unix systems.
In March 2024, Barracuda Networks revealed details of cyberattacks that exploited vulnerabilities in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to install variants of the Mirai botnet, as well as flaws in ThinkPHP to deploy RedTail.
The latest version of the malware, detected in April, includes significant updates, such as an encrypted mining configuration used to launch the built-in XMRig miner. One notable change is the absence of a cryptocurrency wallet, suggesting that the threat actors might have switched to a private mining pool or pool proxy for financial gain. “The configuration also shows that the threat actors are trying to optimize the mining operation as much as possible, indicating a deep understanding of crypto-mining,” the researchers noted. Unlike the previous RedTail variant reported in early 2024, this malware employs advanced evasion and persistence techniques. It forks multiple times to make it difficult to analyze by debugging its process and kills any instances of the GNU Debugger it finds.
