At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 andUNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances.
UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as attempted to maintain persistent access to compromised appliances, Mandiant said.
The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter.
Itβs worth pointing out that UNC3886 has a track record of leveraging zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants like VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP.
βUNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the U.S. and [Asia-Pacific] regions,β Mandiant researchers said.
The active exploitation of CVE-2024-21893 β a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA β by UNC5325 is said to have occurred as early as January 19, 2024, targeting a limited number of devices.
The attack chain entails combining CVE-2024-21893 with a previously disclosed command injection vulnerability tracked as CVE-2024-21887 to gain unauthorized access to susceptible appliances, ultimately leading to the deployment of a new version of BUSHWALK.
Some instances have also involved the misuse of legitimate Ivanti components, such as SparkGateway plugins, to drop additional payloads. This includes the PITFUEL plugin to load a malicious shared object codenamed LITTLELAMB.WOOLTEA, which comes with capabilities to persist across system upgrade events, patches, and factory resets.
βWhile the limited attempts observed to maintain persistence have not been successful to date due to a lack of logic in the malwareβs code to account for an encryption key mismatch, it further demonstrates the lengths UNC5325 will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches,β the company pointed out.
It further acts as a backdoor that supports command execution, file management, shell creation, SOCKS proxy, and network traffic tunneling.
Also observed is another malicious SparkGateway plugin dubbed PITDOG that injects a shared object known as PITHOOK in order to persistently execute an implant referred to as PITSTOP thatβs designed for shell command execution, file write, and file read on the compromised appliance.
Mandiant described the threat actor as having demonstrated a βnuanced understanding of the appliance and their ability to subvert detection throughout this campaignβ and using living-off-the-land (LotL) techniques to fly under the radar.
The cybersecurity firm said it expects βUNC5325 as well as other China-nexus espionage actors to continue to leverage zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.β
The disclosure comes as industrial cybersecurity company Dragos attributed China-sponsored Volt Typhoon (aka Voltzite) to reconnaissance and enumeration activities aimed at multiple U.S.-based electric companies, emergency services, telecommunication providers, defense industrial bases, and satellite services.
βVoltziteβs actions towards U.S. electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerabilities within the countryβs critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks,β it said.
Volt Typhoonβs victimology footprint has since expanded to include African electric transmission and distribution providers, with evidence connecting the adversary to UTA0178, a threat activity group linked to the zero-day exploitation of Ivanti Connect Secure flaws in early December 2023.
The cyber espionage actor, which heavily relies on LotL methods to sidestep detection, joins two other new groups, namely Gananite and Laurionite, that came to light in 2023, conducting long-term reconnaissance and intellectual property theft operations targeting critical infrastructure and government entities.
βVoltzite uses very minimal tooling and prefers to conduct their operations with as little a footprint as possible,β Dragos explained. βVoltzite heavily focuses on detection evasion and long-term persistent access with the assessed intent of long-term espionage and data exfiltration.β
(The story has been updated after publication to emphasize that the attempts to achieve persistence on the VPN appliances were unsuccessful.)
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.