Nation-State Actors Exploit Unpatched Ivanti VPN Vulnerabilities, Deploy Multiple Malware Families

Security researchers have identified a concerning attack campaign targeting Ivanti Connect Secure (ICS) VPN appliances. This campaign, believed to be carried out by nation-state actors, exploits two critical zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) to gain unauthorized access to vulnerable systems.

Exploiting Vulnerabilities for Backdoor Access

The attack leverages an exploit chain combining two vulnerabilities: 

  • CVE-2023-46805: This flaw allows attackers to bypass authentication on affected devices. 
  • CVE-2024-21887: This vulnerability enables attackers to inject malicious code and gain full control of the system. 

By exploiting these vulnerabilities, attackers can effectively create a backdoor into compromised VPN appliances, allowing them to access sensitive information and potentially move laterally within the network. 

Deployment of Multiple Malware Families

Following successful exploitation, the attackers have deployed five different malware families on compromised systems. These malware families are likely used for various malicious purposes, including: 

  • Data exfiltration: Stealing sensitive data from compromised systems. 
  • Lateral movement: Expanding access within the network to other devices. 
  • Persistence: Maintaining long-term access to compromised systems. 

Who is Behind the Attack?

Mandiant, a Google-owned cybersecurity firm, is tracking the threat actor behind this campaign under the moniker UNC5221. While attributing attacks to specific nation-state actors is often complex, the nature of the vulnerabilities exploited and the resources required for such an attack campaign suggest the involvement of actors with significant capabilities. 

The Importance of Patching

The critical takeaway from this incident is the importance of applying security patches promptly. Organizations using Ivanti Connect Secure VPN appliances are strongly advised to patch these vulnerabilities (CVE-2023-46805 and CVE-2024-21887) immediately to mitigate the risk of compromise. Additionally, implementing layered security measures such as network segmentation and endpoint protection can further enhance the organization’s security posture. 

 By staying informed about the latest threats and vulnerabilities and taking proactive steps to patch systems, organizations can significantly reduce their risk of falling victim to similar attacks. 

Initial Access and Escalation:

Researchers from Volexity, attributing the attack to a suspected Chinese espionage actor (UTA0178), revealed that the attackers exploited two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) to gain initial access to Ivanti Connect Secure (ICS) VPN appliances. These vulnerabilities allowed them to: 

  • Deploy webshells: Establish remote access points on compromised systems. 
  • Backdoor legitimate files: Modify legitimate files on the system to maintain persistence. 
  • Capture credentials and configuration data: Steal sensitive information from compromised devices. 
  • Pivot further: Move laterally within the victim’s network to access additional resources. 

Limited Impact, Targeted Campaign:

Ivanti reported that the intrusions affected fewer than 10 customers, suggesting a highly targeted attack campaign. This indicates that the attackers may have been specifically interested in compromising a select group of high-value targets. 

Patch Availability and Custom Malware

Patches for the exploited vulnerabilities, referred to as “ConnectAround” by security professionals, were expected to be released by Ivanti in the week of January 22nd. However, the attackers had already developed and deployed five custom malware families to further their objectives. This demonstrates the attackers’ advanced capabilities and their intention to maintain access even after a patch was released.

Mendiant's Analysis:

Mendiant’s investigation revealed the following details about the custom malware used in the attacks: 

  1. Modification of Legitimate Tools: Attackers used legitimate tools like BusyBox and PySoxy alongside their custom malware. 
  1. Persistence Mechanisms: 
  • THINSPOOL: A shell script dropper used to deploy the web shell LIGHTWIRE. 
  • LIGHT WIRE and WIREFIRE (aka GIFTEDVISITOR): Lightweight web shells providing persistent remote access. 
  • WARPWIRE: A JavaScript-based credential stealer. 
  • ZIPLINE: A passive backdoor capable of performing various malicious actions. 

Attribution and Targeting:

While the specific nation-state actor behind this campaign, tracked as UNC5221, remains unidentified, the attack methods employed – exploiting zero-day vulnerabilities in edge infrastructure and utilizing anonymized C2 servers – are hallmarks of advanced persistent threats (APTs). This suggests a well-resourced and sophisticated attacker with a focus on espionage. 

Mendiant's Conclusion:

Mandiant emphasizes that UNC5221’s activity highlights the continued attractiveness of targeting network perimeters for espionage actors. By exploiting vulnerabilities in edge devices like VPNs, attackers can gain initial access and potentially establish a foothold within a network. 

Update: Expanding Scope:

  • Increased Impact: Ivanti has updated its advisory, acknowledging up to 20 impacted customers, and revising the initial estimate of less than 10. This suggests the number may continue to rise as organizations investigate potential compromises. 
  • Global Expansion: Volexity reported on January 15th that the attack has impacted over 1,700 devices worldwide, spreading beyond the initially suspected limited scope. 

Widening Attacker Landscape:

  • Multiple Actors: Volexity identified evidence suggesting additional threat actors beyond UTA0178 are now exploiting the vulnerabilities. This underscores the rapid proliferation of exploit code and the need for swift patching. 
  • Evolving Tactics: The discovery of a different variant of the WIREFIRE web shell on some compromised devices indicates the attackers are adapting their tactics and potentially collaborating or sharing resources. 

Ivanti Confirms Mass Exploitation:

On January 16th, Ivanti confirmed widespread exploitation, aligning with Volexity’s findings. This suggests the attackers may have been waiting to exploit the vulnerabilities after they were publicly disclosed. 

Conclusion

The Ivanti VPN zero-day exploit campaign serves as a stark reminder of the evolving threat landscape. Organizations must prioritize proactive patching, vigilantly monitor their networks, and implement layered security measures to mitigate the risk of compromise from sophisticated attackers targeting their edge infrastructure. 

Leave a Reply