Since early December 2023, suspected nation-state actors exploited two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices to deploy up to five different malware families as part of a post-exploitation campaign.
“These families allow threat actors to bypass authentication and provide backdoor access to these devices,” Mandiant said in an analysis released this week. Google-owned threat intelligence firm is tracking threat actors in this name UNC5221.
These attacks leverage exploit chains containing an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over vulnerable instances.
Volexity attributes the campaign to a suspected Chinese espionage named UTA0178 and says the two flaws were used to gain initial access, deploy a webshell, backdoor legitimate files, capture credentials and configuration data, and further Enter the victim environment.
According to Ivanti, the intrusion affected fewer than 10 customers, indicating that this may have been a highly targeted campaign. Patches for these two vulnerabilities, unofficially known as ConnectAround, are expected to be released the week of January 22nd.
Mandiant’s analysis of the attacks revealed the presence of five different custom malware families, in addition to injecting malicious code into legitimate files within ICS and using other legitimate tools such as BusyBox and PySoxy to facilitate subsequent activity.
“Since some parts of the device are read-only, UNC5221 uses a Perl script (sessionserver.pl) to remount the file system as read/write and enable the deployment of THINSPOOL, a shell script dropper that converts the web shell LIGHTWIRE writes to legitimate Connect Secure files and other follow-up tools,” the company said.
LIGHTWIRE is one of two web shells, the other being WIREFIRE, which are “lightweight footholds” designed to ensure persistent remote access to infected devices. LIGHTWIRE is written in Perl CGI, while WIREFIRE is implemented in Python.
Also used in the attack was a JavaScript-based credential stealer called WARPWIRE and a passive backdoor called ZIPLINE, which can download/upload files, create reverse shells, create proxy servers, and configure tunnel servers to run across multiple Distribute traffic between endpoints.
Mandiant further added: “This suggests that these are not opportunistic attacks and that UNC5221 intends to maintain a presence on a subset of high-priority targets that will be compromised after the patch is inevitably released.”
UNC5221 has not been linked to any previously known group or specific country, although it has all the hallmarks of advanced persistence by weaponizing zero-day flaws to target edge infrastructure and using compromised command and control (C2) infrastructure to bypass detection. Threats (APT).
“UNC5221’s activity shows that exploiting the network edge and surviving remains a viable and attractive target for espionage actors,” Mandiant said.
