Pierluigi Paganini February 01, 2024

Mandiant spotted new malware used by a China-linked threat actor UNC5221 targeting Ivanti Connect Secure VPN and Policy Secure devices.

Mandiant researchers discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

The attackers were observed exploiting CVE-2023-46805 and CVE-2024-21887 to execute arbitrary commands on the unpatched Ivanti devices.

The cybersecurity firm reported that threat actors are employing the malware in post-exploitation activity, likely performed through automated methods.

Mandiant recently observed a mitigation bypass technique used to deploy a custom web shell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024.

Mandiant speculates that mitigation bypass activity is highly targeted, restricted, and differs from the mass exploitation activity observed after the disclosure of the Ivanti flaws.

Other malware employed in the attack is a new variant of the LIGHTWIRE web shell, the Python web shell backdoor CHAINLINE and FRAMESTING web shell.

Mandiant also completed the analysis of another malware family employed in the attacks, the ZIPLINE passive backdoor. The backdoor allows operators to support the authentication of its custom protocol used to establish C2.

Mandiant also reported that threat actors employed several open-source tools to facilitate post-exploitation activities on Ivanti CS appliances. The tools were used to perform internal network reconnaissance, lateral movement, and data exfiltration within a restricted number of victim environments.

Some of the open-source utilities used by the threat actors, include Impacket, CrackMapExec, iodine, and Enum4linux.

“Additionally, Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories. As noted in our previous blog post, UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors.” concludes Mandiant.

Ivanti also warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti)