Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Chuzo Login

    Top Cooking Websites For Food Bloggers

    Katy Perry Goes To Space!

    Facebook X (Twitter) Instagram
    Tech Empire Solutions
    • Home
    • Cloud
    • Cyber Security
    • Technology
    • Business Solution
    • Tech Gadgets
    Tech Empire Solutions
    Home » State actors weaponize Ivanti VPN zero-day vulnerability, deploy 5 malware families
    Cyber Security

    State actors weaponize Ivanti VPN zero-day vulnerability, deploy 5 malware families

    techempireBy techempire3 Comments3 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email

    ReportJanuary 12, 2024Editorial DepartmentVulnerability/Threat Intelligence

    Ivanti zero-day vulnerability

    Since early December 2023, suspected nation-state actors exploited two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices to deploy up to five different malware families as part of a post-exploitation campaign.

    “These families allow threat actors to bypass authentication and provide backdoor access to these devices,” Mandiant said in an analysis released this week. Google-owned threat intelligence firm is tracking threat actors in this name UNC5221.

    These attacks leverage exploit chains containing an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over vulnerable instances.

    Internet security

    Volexity attributes the campaign to a suspected Chinese espionage named UTA0178 and says the two flaws were used to gain initial access, deploy a webshell, backdoor legitimate files, capture credentials and configuration data, and further Enter the victim environment.

    According to Ivanti, the intrusion affected fewer than 10 customers, indicating that this may have been a highly targeted campaign. Patches for these two vulnerabilities, unofficially known as ConnectAround, are expected to be released the week of January 22nd.

    Mandiant’s analysis of the attacks revealed the presence of five different custom malware families, in addition to injecting malicious code into legitimate files within ICS and using other legitimate tools such as BusyBox and PySoxy to facilitate subsequent activity.

    “Since some parts of the device are read-only, UNC5221 uses a Perl script (sessionserver.pl) to remount the file system as read/write and enable the deployment of THINSPOOL, a shell script dropper that converts the web shell LIGHTWIRE writes to legitimate Connect Secure files and other follow-up tools,” the company said.

    LIGHTWIRE is one of two web shells, the other being WIREFIRE, which are “lightweight footholds” designed to ensure persistent remote access to infected devices. LIGHTWIRE is written in Perl CGI, while WIREFIRE is implemented in Python.

    Internet security

    Also used in the attack was a JavaScript-based credential stealer called WARPWIRE and a passive backdoor called ZIPLINE, which can download/upload files, create reverse shells, create proxy servers, and configure tunnel servers to run across multiple Distribute traffic between endpoints.

    Mandiant further added: “This suggests that these are not opportunistic attacks and that UNC5221 intends to maintain a presence on a subset of high-priority targets that will be compromised after the patch is inevitably released.”

    UNC5221 has not been linked to any previously known group or specific country, although it has all the hallmarks of advanced persistence by weaponizing zero-day flaws to target edge infrastructure and using compromised command and control (C2) infrastructure to bypass detection. Threats (APT).

    “UNC5221’s activity shows that exploiting the network edge and surviving remains a viable and attractive target for espionage actors,” Mandiant said.

    Did you find this article interesting?follow us Twitter  and LinkedIn to read more exclusive content from us.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    techempire
    • Website

    Related Posts

    Ongoing campaign bombards businesses with spam emails and phone calls

    6 common mistakes organizations make when deploying advanced authentication

    New Chrome zero-day vulnerability CVE-2024-4761 is being actively exploited

    Microsoft patches 61 flaws, including two actively exploited zero-day vulnerabilities

    Dutch court sentences Tornado Cash co-founder to 5 years in prison for money laundering

    Migrate from VMware vSphere to Microsoft Azure

    Leave A Reply Cancel Reply

    Top Reviews
    Editors Picks

    Chuzo Login

    Top Cooking Websites For Food Bloggers

    Katy Perry Goes To Space!

    Mr. Meowski’s Bakery To Re-Locate In St. Charles MO

    Legal Pages
    • About Us
    • Disclaimer
    • DMCA
    • Privacy Policy
    Our Picks

    Gateway Studios High-Tech Recording Studio To Open In Chesterfield, Missouri

    Edufox

    Emerging Academic Education Platforms – Sponsored By Edufox

    Top Reviews

    Type above and press Enter to search. Press Esc to cancel.