Researchers find multiple Chinese hacking groups exploiting Ivanti security flaw

ReportApril 5, 2024Editorial Departmentadvanced persistent threat

Multiple China-linked threat actors have been linked to zero-day exploits of three security vulnerabilities affecting Ivanti devices: CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant is tracking these clusters under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another organization linked to mass exploitation is UNC3886.

The Google Cloud subsidiary said it has also observed financially motivated attackers exploiting CVE-2023-46805 and CVE-2024-21887, potentially attempting to conduct cryptocurrency mining operations.

Mandiant researchers said: “UNC5266 partially overlaps with UNC3569, an espionage campaign with ties to China that was observed to exploit vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator to gain access to target environments. initial access rights.”

This threat actor is associated with a post-exploitation campaign that resulted in the deployment of the Sliver command and control (C2) framework, a variant of the WARPWIRE credential stealer, as well as a new Go-based backdoor called TERRIBLETEA that comes with Command execution functions, keylogging, port scanning, file system interaction and screen capture functions.

Since at least February 2024, UNC5330 has been observed combining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN devices and leveraging custom malware such as TONERJAM and PHANTOMNET to facilitate post-attack malicious actions –

• phantom network – Modular backdoor that communicates using a custom communication protocol over TCP and employs a plugin-based system to download and execute additional payloads
• Toner – A launcher designed to decrypt and execute PHANTOMNET

In addition to using Windows Management Instrumentation (WMI) to perform reconnaissance, lateral movement, manipulate login entries, and establish persistence, UNC5330 also compromises LDAP bound accounts configured on infected devices to gain domain administrator access.

Another well-known espionage campaign linked to China is UNC5337, which is said to have penetrated Ivanti devices as early as January 2024 using CVE-2023-46805 and CVE-2024 to deliver a custom malware toolset called SPAWN , the toolset consists of four distinct components that, when strung together, act as a stealthy and persistent backdoor –

• spawning spike – A passive backdoor that listens to the local machine and is equipped to start an interactive bash shell and start SPAWNSLOTH
• Egg-laying mole – Tunneling utility that can direct malicious traffic to a specific host while passing unmodified benign traffic to the Connect Secure web server
• they lay eggs – An installer responsible for ensuring the persistence of SPAWNMOLE and SPAWNSNAIL by leveraging coreboot installer functionality
• sloth spawn – A log tampering program that disables logging and forwards logs to an external syslog server when the SPAWNSNAIL implant is run

Mandiant assesses with medium confidence that UNC5337 and UNC5221 are the same threat group, noting that the SPAWN tool is “designed to enable long-term access and avoid detection.”

UNC5221, previously known to be web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, has also dropped a Perl-based web shell (called ROOTROT) embedded in a legitimate Connect Secure .ttc file located at “/data/runtime” /tmp/tt/setcookie.thtml.ttc”, exploiting CVE-2023-46805 and CVE-2024-21887.

Successful deployment of the web shell results in network reconnaissance and lateral movement, which in some cases results in vCenter servers in the victim’s network being compromised via a Golang backdoor called BRICKSTORM.

“BRICKSTORM is a Go backdoor targeting VMware vCenter servers,” Mandiant researchers explained. “It supports the ability to configure itself as a web server, perform file system and directory operations, perform file operations such as upload/download, run shell commands, and perform SOCKS relays.”

The last of the five Chinese groups linked to abusing Ivanti security vulnerabilities is UNC5291, which Mandiant said may be related to another hacker group UNC3236 (also known as Volt Typhoon), mainly because the group targets academia, energy, defense and business areas. health department.

“Activity in the cluster will begin in December 2023 with a focus on Citrix Netscaler ADCs, followed by Ivanti Connect Secure appliances once details are announced in mid-January 2024,” the company said.

The findings once again highlight the threats faced by edge devices, with espionage actors tailoring their spying techniques to their targets using a combination of zero-day flaws, open source tools and custom backdoors to evade detection for extended periods of time.