UPDATE--Researchers have discovered evidence of an unidentified APT group exploiting the recently disclosed Ivanti vulnerabilities to install malware, webshells, and other malicious tools, and say that more than 1,700 devices have been compromised so far.
The two vulnerabilities (CVE-2023-46805 and CVE-2024-21887) affect all supported versions of the company’s Connect Secure and Pulse Secure gateway appliances and Ivanti released an advisory on Jan. 10 detailing them and said that it was aware of active exploitation against fewer than 20 of its customers. Other research teams also have seen exploitation of the flaw, including Volexity, which published details of attacks in which threat actors chained together the two vulnerabilities to gain remote code execution and then modify files on compromised devices to ensure remote access and keylogging.
On Jan. 15, Volexity said that it developed a tool that could scan for and identify compromised Ivanti devices and had found more than 1,700 such devices.
"Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals," Volexity said.
On Jan. 11, Mandiant researchers said that they had seen exploitation of the Ivanti vulnerabilities in December by a threat actor it’s calling UNC5221. The attackers have used five distinct malicious tools in these operations, including a dropper called THINSPOOL that is used to install other tools on compromised systems.
“Mandiant has determined that THINSPOOL acts as a key tool for both persistence and detection evasion, in addition to being the initial dropper for the LIGHTWIRE web shell used by UNC5221 for post-exploitation activity. The LIGHTWIRE and WIREFIRE web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances,” the Mandiant analysis says.
“This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released.”
Ivanti is planning to begin releasing patches on a staggered basis, starting the week of Jan. 22 and ending the week of Feb. 19. In the meantime, the company has released a mitigation file for affected customers.
On the attack front, Mandiant said that UNC5221 also is using a credential-stealing tool called WARPWIRE and a backdoor known as ZIPWIRE in its attacks. ZIPLINE is designed to intercept network traffic in certain cases and then execute the attackers’ commands. WARPWIRE steals specific credentials from compromised Ivanti systems.
“WARPWIRE is a credential harvester written in Javascript that is embedded into a legitimate Connect Secure file. WARPWIRE targets plaintext passwords and usernames which are submitted via a HTTP GET request to a command and control (C2) server. WARPWIRE captures credentials submitted during the web logon to access layer 7 applications, like RDP,” Mandiant said.
Mandiant’s researchers said there was not enough evidence to attribute UNC5221 to any specific region or country, although Volexity said in its analysis that it has reason to believe that the attacks it identified were from a Chinese state-level threat actor.
This story was updated on Jan. 16 to add new information from Volexity about the volume of compromised devices.