As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.
“These families allow threat actors to bypass authentication and provide backdoor access to these devices,” Mandiant said in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the alias UNC5221.
The attacks leverage an exploit chain containing an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to handle vulnerable instances.
Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.
According to Ivanti, the intrusion affected less than 10 customers, indicating that it may have been a highly targeted campaign. Patches (informally called connectarounds) for the two vulnerabilities are expected to be available the week of January 22.
Mandiant’s analysis of the attacks has revealed the presence of five different custom malware families, besides injecting malicious code into legitimate files within ICS and using other legitimate tools like BusyBox and PySoxy to facilitate subsequent activity.
“With some sections of the device being read-only, the UNC5221 took advantage of a Perl script (sessionserver.pl) to re-mount the file system as read/write and enabled the deployment of THINSPOOL, a Shell script dropper that writes to the web shell LIGHTWIRE valid Connect Secure file, and other follow-on tooling,” the company said.
LIGHTWIRE is one of two web shells, the other being WIREFIRE, which are “lightweight footholds” designed to ensure persistent remote access to compromised devices. While LIGHTWIRE is written in Perl CGI, WIREFIRE is implemented in Python.
Also used in the attacks are a JavaScript-based credential stealer dubbed WARPWIRE and a passive backdoor named ZIPLINE that’s capable of downloading/uploading files, establishing a reverse shell, creating a proxy server, and setting up a tunneling server to dispatch traffic between multiple endpoints.
Mandiant added, “This indicates that these are not opportunistic attacks, and that UNC5221 intended to maintain its presence on a subset of high-priority targets, which it compromised after the patch was released.”
UNC5221 has not been linked to any previously known group or a particular country, although the targeting of edge infrastructure by weaponizing zero-day flaws and the use of compromise command-and-control (C2) infrastructure to bypass detection bears all the hallmarks of an advanced persistent threat (APT).
“UNC5221’s activity demonstrates that exploiting and living at the edge of the network remains a viable and attractive target for espionage actors,” Mandiant said.
