As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.
"These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the moniker UNC5221.
The attacks leverage an exploit chain comprising an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over susceptible instances.
Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.
According to Ivanti, the intrusions impacted less than 10 customers, indicating that this could be a highly-targeted campaign. Patches for the two vulnerabilities (informally called ConnectAround) are expected to become available in the week of January 22.
Mandiant's analysis of the attacks has revealed the presence of five different custom malware families, besides injecting malicious code into legitimate files within ICS and using other legitimate tools like BusyBox and PySoxy to facilitate subsequent activity.
"Due to certain sections of the device being read-only, UNC5221 leveraged a Perl script (sessionserver.pl) to remount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling," the company said.
LIGHTWIRE is one of the two web shells, the other being WIREFIRE (aka GIFTEDVISITOR), which are "lightweight footholds" designed to ensure persistent remote access to compromised devices. While LIGHTWIRE is written in Perl CGI, WIREFIRE is implemented in Python.
Also used in the attacks are a JavaScript-based credential stealer dubbed WARPWIRE and a passive backdoor named ZIPLINE that's capable of downloading/uploading files, establishing a reverse shell, creating a proxy server, and setting up a tunneling server to dispatch traffic between multiple endpoints.
"This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released," Mandiant further added.
UNC5221 has not been linked to any previously known group or a particular country, although the targeting of edge infrastructure by weaponizing zero-day flaws and the use of compromise command-and-control (C2) infrastructure to bypass detection bears all the hallmarks of an advanced persistent threat (APT).
"UNC5221's activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors," Mandiant said.
Update
Ivanti has updated its advisory to state that it's "aware of less than 20 customers impacted by the vulnerabilities," up from "less than 10" when it was published on January 10, 2024. This suggests that the number is likely to grow as more companies run the integrity checker tool to scan their devices for indicators of compromise.
ICS Zero-Days Now Under Widespread Exploitation
On January 15, 2024, Volexity revealed that the attacks exploiting the two zero-days in ICS VPN appliances have gone global, infecting more than 1,700 devices worldwide.
Targets include government and military departments, telecom companies, defense contractors, technology firms, banking and financial services, consulting entities, and aerospace, aviation, and engineering organizations.
“Additional threat actors beyond UTA0178 appear to now have access to the exploit and are actively trying to exploit devices,” the company said, adding some of the newly found compromised devices have been backdoored with a different version of the WIREFIRE web shell.
This also comprises suspected exploitation attempts from another threat actor that it tracks as UTA0188.
Ivanti Confirms Mass Hacks
Ivanti confirmed in a new advisory on January 16, 2024, that its own findings are "consistent" with Volexity's latest observations and that the mass exploitation appears to have commenced around January 11, a day after the company publicly disclosed the vulnerabilities.
