Skip to content

C0048 Operation MidnightEclipse

Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.21

Item Value
ID C0048
Associated Names
First Seen March 2024
Last Seen April 2024
Version 1.0
Created 15 January 2025
Last Modified 15 January 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols During Operation MidnightEclipse, threat actors used wget via HTTP to retrieve payloads.21
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell During Operation MidnightEclipse, threat actors piped output from stdout to bash for execution.21
enterprise T1584 Compromise Infrastructure -
enterprise T1584.003 Virtual Private Server During Operation MidnightEclipse, threat actors abused Virtual Private Servers to store malicious files.2
enterprise T1584.006 Web Services During Operation MidnightEclipse, threat actors abused compromised AWS buckets to store files.2
enterprise T1005 Data from Local System During Operation MidnightEclipse, threat actors stole saved cookies and login data from targeted systems.2
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging During Operation MidnightEclipse, threat actors copied files to the web application folder on compromised devices for exfiltration.1
enterprise T1190 Exploit Public-Facing Application During Operation MidnightEclipse, threat actors exploited CVE-2024-3400 in Palo Alto Networks GlobalProtect.21
enterprise T1105 Ingress Tool Transfer During Operation MidnightEclipse, threat actors downloaded additional payloads on compromised devices.21
enterprise T1559 Inter-Process Communication During Operation MidnightEclipse, threat actors wrote output to stdout then piped it to bash for execution.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool During Operation MidnightEclipse, threat actors used the GO Simple Tunnel (GOST) reverse proxy tool.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.003 NTDS During Operation MidnightEclipse, threat actors obtained active directory credentials via the NTDS.DIT file.2
enterprise T1090 Proxy During Operation MidnightEclipse, threat actors used the GO Simple Tunnel reverse proxy tool.2
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares During Operation MidnightEclipse, threat actors used SMB to pivot internally in victim networks.2
enterprise T1021.006 Windows Remote Management During Operation MidnightEclipse, threat actors used WinRM to move laterally in targeted networks.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron During Operation MidnightEclipse, threat actors configured cron jobs to retrieve payloads from actor-controlled infrastructure.21
enterprise T1078 Valid Accounts During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks.2
enterprise T1078.002 Domain Accounts During Operation MidnightEclipse, threat actors used a compromised domain admin account to move laterally.2

Software

ID Name Description
S1164 UPSTYLE During Operation MidnightEclipse, threat actors made multiple attempts to install UPSTYLE21

References

  1. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025. 

  2. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.