Introduction:
On January 10, 2024, Ivanti disclosed two critical vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. These vulnerabilities, if exploited successfully, could lead to authentication bypass and command injection, enabling threat actors to compromise victim networks. Mandiant has identified active exploitation in the wild by a suspected espionage threat actor tracked as UNC5221 since December 2023
Overview:
Post-exploitation activities involve the use of custom malware families, trojanizing legitimate files, and deploying tools for persistence and detection evasion. The threat actor, UNC5221, leverages a variety of malicious techniques to maintain access, indicating a targeted and strategic campaign.
Indicators of Compromise (IOCs):
Code Family: LIGHTWIRE
- Filename: compcheckresult.cgi
- Description: Web shell
Code Family: THINSPOOL
- Filename: sessionserver.sh
- Description: Web shell dropper
Code Family: WARPWIRE
- Filename: lastauthserverused.js
- Description: Credential harvester
Code Family: WIREFIRE
- Filename: visits.py
- Description: Web shell
Code Family: THINSPOOL Utility
- Filename: sessionserver.pl
- Description: Script
Code Family: ZIPLINE
- Filename: libsecure.so.1
- Description: Passive backdoor
Network-Based Indicators (NBIs):
- Domain: symantke[.]com
- Description: WARPWIRE Command and Control (C2)
YARA rules:
- ZIPLINE Passive Backdoor
- WIREFIRE Web Shell
- LIGHTWIRE Web Shell
- THINSPOOL Dropper
- WARPWIRE Credential Harvester
Preventive measures:
- Organizations are urged to follow Ivanti's mitigation guidance and stay informed about upcoming patch releases.
- Implement the provided mitigations to safeguard against exploitation and compromise.
- Monitor for any signs of compromise using the specified YARA rules and network-based indicators.
- Stay updated with the latest versions and look for patches available on the official site.
Conclusion:
The post-exploitation activities of UNC5221 underscore the sophisticated nature of this espionage-motivated APT campaign. Organizations should prioritize mitigation, closely follow Ivanti's guidance, and be vigilant for any signs of compromise using the provided IOCs and YARA rules. Collaboration between cybersecurity entities and the timely application of patches are essential for mitigating the risks posed by these vulnerabilities. Acknowledgments to Ivanti, Mandiant, and other contributing teams for their efforts in investigating and addressing this threat.
References:
https://www.ivanti.com/blog/january-2024-patch-tuesday
https://thehackernews.com/2024/01/cisa-issues-emergency-directive-to.html
https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day