Upcoming Webinar: DPDP Act and Cybersecurity Essentials for Indian Manufacturers - 23rd July

Register Today
ivanti-vulnerabilities

Introduction:

On January 10, 2024, Ivanti disclosed two critical vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. These vulnerabilities, if exploited successfully, could lead to authentication bypass and command injection, enabling threat actors to compromise victim networks. Mandiant has identified active exploitation in the wild by a suspected espionage threat actor tracked as UNC5221 since December 2023

Overview:

Post-exploitation activities involve the use of custom malware families, trojanizing legitimate files, and deploying tools for persistence and detection evasion. The threat actor, UNC5221, leverages a variety of malicious techniques to maintain access, indicating a targeted and strategic campaign.

Indicators of Compromise (IOCs):

Code Family: LIGHTWIRE

  • Filename: compcheckresult.cgi
  • Description: Web shell

Code Family: THINSPOOL

  • Filename: sessionserver.sh
  • Description: Web shell dropper

Code Family: WARPWIRE

  • Filename: lastauthserverused.js
  • Description: Credential harvester

Code Family: WIREFIRE

  • Filename: visits.py
  • Description: Web shell

Code Family: THINSPOOL Utility

  • Filename: sessionserver.pl
  • Description: Script

Code Family: ZIPLINE

  • Filename: libsecure.so.1
  • Description: Passive backdoor

Network-Based Indicators (NBIs):

  • Domain: symantke[.]com
  • Description: WARPWIRE Command and Control (C2)

YARA rules:

  • ZIPLINE Passive Backdoor
  • WIREFIRE Web Shell
  • LIGHTWIRE Web Shell
  • THINSPOOL Dropper
  • WARPWIRE Credential Harvester

Preventive measures:

  1. Organizations are urged to follow Ivanti's mitigation guidance and stay informed about upcoming patch releases.
  2. Implement the provided mitigations to safeguard against exploitation and compromise.
  3. Monitor for any signs of compromise using the specified YARA rules and network-based indicators.
  4. Stay updated with the latest versions and look for patches available on the official site.

Conclusion:

The post-exploitation activities of UNC5221 underscore the sophisticated nature of this espionage-motivated APT campaign. Organizations should prioritize mitigation, closely follow Ivanti's guidance, and be vigilant for any signs of compromise using the provided IOCs and YARA rules. Collaboration between cybersecurity entities and the timely application of patches are essential for mitigating the risks posed by these vulnerabilities. Acknowledgments to Ivanti, Mandiant, and other contributing teams for their efforts in investigating and addressing this threat.

References:

https://www.ivanti.com/blog/january-2024-patch-tuesday

https://thehackernews.com/2024/01/cisa-issues-emergency-directive-to.html

https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.