Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices.
This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE.
"CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution," the company said, attributing it to UNC5221, adding it also detected multiple new versions of WARPWIRE, a JavaScript-based credential stealer.
The infection chains entail a successful exploitation of CVE-2023-46805 and CVE-2024-21887, which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges.
The flaws have been abused as zero-days since early December 2023. Germany's Federal Office for Information Security (BSI) said it's aware of "multiple compromised systems" in the country.
BUSHWALK, written in Perl and deployed by circumventing the Ivanti-issued mitigations in highly-targeted attacks, is embedded into a legitimate Connect Secure file named "querymanifest.cgi" and offers the ability to read or write to files to a server.
On the other hand, FRAMESTING is a Python web shell embedded in an Ivanti Connect Secure Python package (located in the following path "/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py") that enables arbitrary command execution.
Mandiant's analysis of the ZIPLINE passive backdoor has also uncovered its use of "extensive functionality to ensure the authentication of its custom protocol used to establish command-and-control (C2)."
Furthermore, the attacks are characterized by the use of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux to support post-exploitation activity on Ivanti CS appliances, including network reconnaissance, lateral movement, and data exfiltration within victim environments.
Ivanti has since disclosed two more security flaws, CVE-2024-21888 and CVE-2024-21893, the latter of which has come under active exploitation targeting a "limited number of customers." The company has also released the first round of fixes to address the four vulnerabilities.
UNC5221 is said to target a wide range of industries that are of strategic interest to China, with its infrastructure and tooling overlapping with past intrusions linked to China-based espionage actors.
"Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories," Mandiant said. "UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors."
CISA Issues New Guidance
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued supplemental guidance urging agencies running affected Ivanti to disconnect them from their networks "as soon as possible and no later than 11:59 p.m. on Friday February 2, 2024," and look for signs of compromise before bringing them back live after applying the patches.
Agencies have also been required to "assume domain accounts associated with the affected products have been compromised," taking steps to reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments by March 1, 2024.
