Hackers Exploit Firewall Flaw to Steal Data

Suspected state-sponsored hackers exploiting zero-day in Palo Alto firewalls since March to install backdoor named "Upstyle"
Backdoor parses firewall logs for encoded commands, executes them, and saves output to CSS file
Used to pivot to internal network, steal Windows AD database, browser files with saved credentials
Custom payloads also used for reverse shells, exfiltrating data, removing logs
Volexity provides methods to detect compromise using tech support files or monitoring for suspicious activity