Suspected Chinese state-sponsored hackers leveraging Ivanti Connect Secure VPN flaws to breach a variety of organizations have demonstrated “a nuanced understanding of the appliance”, according to Mandiant incident responders and threat hunters.
They were able to perform a number of modifications on the device and deploy specialized malware and plugins aimed at achieving persistence across system upgrades, patches, and factory resets.
“While the limited attempts observed to maintain persistence have not been successful to date due to a lack of logic in the malware’s code to account for an encryption key mismatch, it further demonstrates the lengths UNC5325 [one of the threat groups] will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches,” Mandiant’s specialists noted.
Specially crafted malware and plugins
Mandiant’s security pros have said that they believed two separate (but likely connected) threat groups – UNC5325 and UNC3886 – are behind some of the recent attacks that started with the exploitation of several Ivanti Connect Secure flaws. They believe the two groups are Chinese cyber espionage operators.
The most interesting thing about the attacks is not the exploitation of previously unknown (i.e., zero-day) vulnerabilities and the bypassing of mitigations employed to fix them, but the specialized knowledge leveraged by the attackers to achieve persistence on targeted devices despite enterprise defenders’ efforts.
According to the researchers, UNC5325 has been usin living-off-the-land techniques (LotLs) to evade detection and has attempted to use novel malware (LITTLELAMB.WOOLTEA) and backdoors to make their foothold on the device permanent.
The attackers used publicly available services (e.g., Interactsh) to detect vulnerable devices and eployed reverse shells and web shells on them.
“We identified a technique allowing BUSHWALK [a web shell] to remain in an undetected dormant state by creatively modifying a Perl module and LotL technique by using built-in system utilities unique to Ivanti products,” they shared.
An encrypted versions of BUSHWALK “remains dormant in a dynamic directory and therefore is not scanned by the integrity checker tool,” they found. (On Tuesday, Ivanti also released an enhanced external integrity checker tool that provides customers a decrypted snapshot of their appliance.)
In some cases, after exploiting CVE-2024-21893, the attackers used plugins for SparkGateway – a legitimate component of the Ivanti Connect Secure appliance – to modify its configuration file, inject shared objects and re-deploy backdoors after system upgrade events, patches, and factory resets.
“The exploitation of the Ivanti zero-days has likely impacted numerous appliances,” the researchers said.
“While much of the activity has been automated, there has been a smaller subset of follow-on activity providing further insights on attacker tactics, techniques, and procedures (TTPs). Mandiant assesses additional actors will likely begin to leverage these vulnerabilities to enable their operations.”
Hackers hitting other enterprise VPN appliances
State-sponsored hacking groups compromising edge devices to achieve a foothold into organizations is not news, but it’s becoming increasingly obvious that they know the target devices inside out.
Dutch intelligence services reported earlier this month that Chinese state-sponsored hackers had breached the Dutch Ministry of Defense in 2023 and deployed a new remote access trojan specifically built for Fortinet’s FortiGate (firewall with built-in VPN) appliances.
The RAT in question – dubbed Coathanger – is also able to survive reboots and firmware upgrades.