CVE-2024-9474 Exploited: LITTLELAMB.WOOLTEA Backdoor Discovered in Palo Alto Devices
Northwave Cyber Security has identified a sophisticated backdoor, LITTLELAMB.WOOLTEA, targeting Palo Alto Networks firewalls.
The backdoor was uncovered during a forensic investigation into a compromised Palo Alto Networks device. Attackers exploited CVE-2024-9474, a vulnerability publicly disclosed just before the attack. Using this entry point, the threat actor deployed a malicious script named bwmupdate, which installed the backdoor. Northwave notes, “This backdoor is then executed using execve(), which fully replaces any running legitimate logd process with the malicious one.”
LITTLELAMB.WOOLTEA exemplifies stealth in its operation. It disguises itself as the legitimate logd service and achieves persistence by modifying the rc.local file and altering the RedHat package manager’s configuration to ensure its survival across system upgrades.
Additionally, the backdoor injects a dynamic library into the nginx process, hijacking the accept() function. This enables attackers to use a 48-byte “magic knock” to establish covert communication without opening a separate port. Instead, it uses existing open ports, making detection even harder.
The backdoor’s functionalities include:
- Reading and writing files on the target system.
- Providing shell access for remote command execution.
- Establishing single or multi-port network tunnels, enabling secure communication channels with other compromised nodes.
- Setting up a SOCKS5 proxy for covert data transfer.
Northwave explains, “The backdoor supports running commands in a shell. Output from stdout or stderr is forwarded to the user… ” ensuring robust control over the compromised device.
The backdoor implements a highly versatile communication protocol. It differentiates operator connections from inter-node communications using unique identifiers, enabling hierarchical command-and-control across a network of infected devices.
While attribution remains unconfirmed, the complexity of LITTLELAMB.WOOLTEA suggests a nation-state actor. Northwave notes, “A suspected nation state threat actor gained entry to a Palo Alto network device through CVE2024-9474, shortly after details of the vulnerability were made public.”