As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.
βThese families allow the threat actors to circumvent authentication and provide backdoor access to these devices,β Mandiant said in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the moniker UNC5221.
The attacks leverage an exploit chain comprising an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over susceptible instances.
Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.
According to Ivanti, the intrusions impacted less than 10 customers, indicating that this could be a highly-targeted campaign. Patches for the two vulnerabilities (informally called ConnectAround) are expected to become available in the week of January 22.
Mandiantβs analysis of the attacks has revealed the presence of five different custom malware families, besides injecting malicious code into legitimate files within ICS and using other legitimate tools like BusyBox and PySoxy to facilitate subsequent activity.
βDue to certain sections of the device being read-only, UNC5221 leveraged a Perl script (sessionserver.pl) to remount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling,β the company said.
LIGHTWIRE is one of the two web shells, the other being WIREFIRE (aka GIFTEDVISITOR), which are βlightweight footholdsβ designed to ensure persistent remote access to compromised devices. While LIGHTWIRE is written in Perl CGI, WIREFIRE is implemented in Python.
Also used in the attacks are a JavaScript-based credential stealer dubbed WARPWIRE and a passive backdoor named ZIPLINE thatβs capable of downloading/uploading files, establishing a reverse shell, creating a proxy server, and setting up a tunneling server to dispatch traffic between multiple endpoints.
βThis indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released,β Mandiant further added.
UNC5221 has not been linked to any previously known group or a particular country, although the targeting of edge infrastructure by weaponizing zero-day flaws and the use of compromise command-and-control (C2) infrastructure to bypass detection bears all the hallmarks of an advanced persistent threat (APT).
βUNC5221βs activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors,β Mandiant said.
Ivanti has updated its advisory to state that itβs βaware of less than 20 customers impacted by the vulnerabilities,β up from βless than 10β when it was published on January 10, 2024. This suggests that the number is likely to grow as more companies run the integrity checker tool to scan their devices for indicators of compromise.
On January 15, 2024, Volexity revealed that the attacks exploiting the two zero-days in ICS VPN appliances have gone global, infecting more than 1,700 devices worldwide.
Targets include government and military departments, telecom companies, defense contractors, technology firms, banking and financial services, consulting entities, and aerospace, aviation, and engineering organizations.
βAdditional threat actors beyond UTA0178 appear to now have access to the exploit and are actively trying to exploit devices,β the company said, adding some of the newly found compromised devices have been backdoored with a different version of the WIREFIRE web shell.
This also comprises suspected exploitation attempts from another threat actor that it tracks as UTA0188.
Ivanti confirmed in a new advisory on January 16, 2024, that its own findings are βconsistentβ with Volexityβs latest observations and that the mass exploitation appears to have commenced around January 11, a day after the company publicly disclosed the vulnerabilities.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.