Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December 2023.
Ivanti disclosed the vulnerabilities in Ivanti Connect Secure. The VPN server appliance, previously known as Pulse Connect Secure – and its Policy Secure gateways. Ivanti hopes to start rolling those out the week of January 22 in a staggered fashion and, in the meantime, urges customers to immediately deploy mitigations.
These flaws can be exploited to seize control of an organization’s Ivanti network appliances and use them to drill into that org’s IT environment. The two zero-days are: CVE-2023-46805, an authentication bypass bug; and CVE-2024-21887, a command injection vulnerability.
Mandiant says it has identified in-the-wild abuse of the bugs as early as December by a previously unknown suspected espionage team it now tracks as UNC5221.
Mandiant saw that UNC5221 primarily used hijacked end-of-life Cyberoam VPN appliances as C2 servers in its attacks on Ivanti customers. These compromised devices were domestic to the victims, which likely helped the threat actor to better evade detection.
The intruders used several malware to achieve persistence and avoid detection, allowing continued access to victims’ networks. This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released.
Mandiant identified five custom malware families used by UNC5221 after it infiltrates a target via the Ivanti flaws. One is Zipline, a backdoor that receives commands to execute on compromised devices. It also supports file transfers in and out of infected equipment, can provide a proxy server, and can implement a tunneling server.
Thinspool adds malicious webshell code to legitimate files that establishes persistence on compromised networks. It acts as the initial dropper for the Lightwire webshell. Another webshell, Wirefire, is stashed within Connect Secure appliances for remote control of the devices. It supports downloading files and executing arbitrary commands.
Warpwire, a credential harvester that collects passwords and usernames to layer 7 applications in plain text, and sends them off to a C2 server for the snoops to use to gain further access to victims’ services and systems.
This research was documented by the researchers from Mandiant.
