APT Group Targets Ivanti Flaws

Researchers have discovered evidence of an unidentified APT group exploiting the recently disclosed Ivanti vulnerabilities to install malware, webshells, and other malicious tools, and say the activity began well before the bugs were publicly known.

The two vulnerabilities (CVE-2023-46805 and CVE-2024-21887) affect all supported versions of the company’s Connect Secure and Pulse Secure gateway appliances and Ivanti released an advisory on Jan. 10 detailing them and said that it was aware of active exploitation against fewer than 20 of its customers. Other research teams also have seen exploitation of the flaw, including Volexity, which published details of attacks in which threat actors chained together the two vulnerabilities to gain remote code execution and then modify files on compromised devices to ensure remote access and keylogging.

On Thursday, Mandiant researchers said that they had seen exploitation of the Ivanti vulnerabilities in December by a threat actor it’s calling UNC5221. The attackers have used five distinct malicious tools in these operations, including a dropper called THINSPOOL that is used to install other tools on compromised systems.

“Mandiant has determined that THINSPOOL acts as a key tool for both persistence and detection evasion, in addition to being the initial dropper for the LIGHTWIRE web shell used by UNC5221 for post-exploitation activity. The LIGHTWIRE and WIREFIRE web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances,” the Mandiant analysis says.

“This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released.”

Ivanti is planning to begin releasing patches on a staggered basis, starting the week of Jan. 22 and ending the week of Feb. 19. In the meantime, the company has released a mitigation file for affected customers.

On the attack front, Mandiant said that UNC5221 also is using a credential-stealing tool called WARPWIRE and a backdoor known as ZIPWIRE in its attacks. ZIPLINE is designed to intercept network traffic in certain cases and then execute the attackers’ commands. WARPWIRE steals specific credentials from compromised Ivanti systems.

“WARPWIRE is a credential harvester written in Javascript that is embedded into a legitimate Connect Secure file. WARPWIRE targets plaintext passwords and usernames which are submitted via a HTTP GET request to a command and control (C2) server. WARPWIRE captures credentials submitted during the web logon to access layer 7 applications, like RDP,” Mandiant said.

Mandiant’s researchers said there was not enough evidence to attribute UNC5221 to any specific region or country, although Volexity said in its analysis that it has reason to believe that the attacks it identified were from a Chinese state-level threat actor.

Go to Source