Chinese UNC5221 Exploitation of Ivanti Connect Secure

---

UNC5221 is an advanced and highly sophisticated espionage group believed to have ties to China. This group has demonstrated significant expertise in targeting edge devices and exploiting critical vulnerabilities to infiltrate networks. A recent campaign by UNC5221 revealed their exploitation of Ivanti Connect Secure (ICS), leveraging vulnerabilities such as CVE-2025-22457 to carry out widespread, stealthy attacks.

Understanding CVE-2025-22457

Nature of the Vulnerability:

• CVE-2025-22457 is a stack-based buffer overflow vulnerability that affects Ivanti Connect Secure appliances. The flaw arises when the system improperly handles memory, allowing remote attackers to execute arbitrary code on the device.
• Exploitation of this vulnerability enables attackers to gain unauthenticated remote code execution (RCE) privileges, providing a direct pathway to full control over the appliance.

Affected Products:

• Ivanti Connect Secure: All versions prior to 22.7R2.5 are vulnerable.
• Pulse Connect Secure: Vulnerable versions remain at risk, although they are end-of-life as of December 2024.
• Ivanti Policy Secure and ZTA Gateways running earlier versions are also affected.

Severity:

• Rated critical due to the combination of ease of exploitation and the high level of access granted upon successful compromise.

UNC5221 Exploitation Techniques

UNC5221 employs advanced methods to exploit CVE-2025-22457 and maintain long-term access to compromised systems:

1. Malware Deployment:

• Primary Malware:
• UNC5221 relies on a family of malware known as SPAWN. Key components include:
  • SPAWNANT: Facilitates remote command execution.
  • SPAWNMOLE: Focuses on credential harvesting and lateral movement.
  • SPAWNSNAIL: Specializes in exfiltration of sensitive data.
• Secondary Malware:
• They also deploy tools like TRAILBLAZE (in-memory dropper) and BRUSHFIRE (passive backdoor), ensuring attackers maintain a foothold.

2. Log Manipulation:

• UNC5221 uses utilities like SPAWNSLOTH to tamper with device logs, erasing traces of unauthorized activities. This helps them evade detection during audits.

3. Encrypted C2 Communication:

• By hooking into SSL libraries, the group establishes secure, encrypted channels between the infected appliance and their Command-and-Control (C2) infrastructure. This enables stealthy deployment and execution of payloads.

4. Persistence Mechanisms:

• UNC5221 modifies coreboot images and injects scripts into memory to survive device reboots. Their ability to alter firmware ensures long-term control over the compromised appliance.

UNC5221 Attack Objectives

The group’s primary objective revolves around cyber-espionage, often targeting high-value government and enterprise networks. Their attacks aim to:

Extract Sensitive Data:

• UNC5221 focuses on harvesting intellectual property, government secrets, or financial data from their targets.

Establish Stealthy Access:

• By modifying firmware and logs, they maintain undetectable persistence for extended periods.

Enable Broader Campaigns:

• Exploitation of edge devices often serves as an entry point for wider attacks, allowing lateral movement into internal networks.

Notable UNC5221 Campaigns

Past Exploits:

• UNC5221 has a history of targeting edge devices and leveraging zero-day vulnerabilities. Previous exploits include:
• CVE-2025-0282: Another buffer overflow vulnerability in Ivanti ICS appliances.
• CVE-2023-46805: Authentication bypass vulnerability used for system compromise.
• CVE-2024-21887: Command injection vulnerability exploited for remote access.

Malware Arsenal:

• They deploy versatile malware tools like ZIPLINE, THINSPOOL, and LIGHTWIRE, making their campaigns resilient and adaptable.

Mitigation Strategies

Organizations using Ivanti products must act swiftly to protect their systems from UNC5221’s exploitation campaigns. Below are comprehensive steps to mitigate risks:

1. Update Vulnerable Systems:

• Install the latest software updates to patch CVE-2025-22457. Ivanti Connect Secure appliances should be upgraded to version 22.7R2.6 or higher.

2. Conduct Factory Resets:

• If a device is compromised, perform a factory reset using a clean image. Ensure all firmware and software components are replaced with trusted versions.

3. Utilize Detection Tools:

• Ivanti provides tools like the Integrity Checker Tool (ICT), which can help identify signs of compromise and unauthorized changes on appliances.

4. Implement Network Segmentation:

• Isolate edge devices, such as VPN appliances, from other critical systems to prevent lateral movement and escalation.

5. Log Auditing and Monitoring:

• Regularly review system logs for suspicious activity. Focus on detecting:
• Unauthorized remote access.
• Unexpected firmware modifications.

6. Strengthen Access Controls:

• Disable unused features and enforce multi-factor authentication (MFA) for all administrative accounts.

Final Thoughts

UNC5221 represents a growing threat in the realm of cyber-espionage, particularly through their exploitation of vulnerabilities in critical edge devices like Ivanti Connect Secure appliances. By deploying highly sophisticated malware and leveraging vulnerabilities like CVE-2025-22457, they maintain persistence, steal sensitive data, and carry out stealthy attacks.

Organizations must prioritize patching, monitoring, and securing all edge devices to mitigate risks associated with such advanced threat actors.