Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices

Volexity reports discovery and investigation of active exploitation of CVE-2024-3400 targeting Palo Alto Networks GlobalProtect, observed initially from a China-linked actor (UTA0218) and later by other actors after proof-of-concept publication; the post details log- and memory-based detection methods, example malicious log entries and artifacts (including binaries like /tmp/vpn_prot and cron-based persistence), network monitoring guidance, and remediation recommendations such as applying patches and threat prevention signatures.