Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development
Chinese Group Runs Highly Persistent Ivanti 0-Day Exploits
UNC5325 Can Remain in Hacked Devices Despite Factory Reset and PatchesChinese threat actors are attempting to maintain persistence after exploiting the recent Ivanti Connect Secure VPN vulnerability even after factory resets, system upgrades and patches.* The threat actor, UNC5325, is adept at "living off the land" techniques, warned threat intelligence firm Mandiant.
See Also: OnDemand | Defend Against Threats
Mandiant published a report explaining how UNC5325 is using novel malware such as LittleLamb.WooLTea in an attempt to maintain persistence.
Ivanti has disclosed a set of five vulnerabilities seen since Jan. 10, including CVE-2024-21893, a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA appliances. The bug, exploited by UNC5325, allows attackers to access certain restricted resources without authentication, according to Ivanti.
Mandiant drew connections between operators UNC5325 and UNC3886, citing overlaps in tactics, techniques and procedures. UNC3886 is a suspected Chinese espionage operator that also uses these vulnerabilities to primarily target the defense industrial base, technology and telecommunication organizations located in the U.S. and Asia-Pacific region.
Mandiant said the attackers deployed a nuanced variant of the BushWalk web shell to read arbitrary files and subvert detection through creative modifications.
Attackers also abused legitimate components, such as SparkGateway plug-ins, to deploy backdoors, extending their reach within compromised systems. Injecting shared objects into the SparkGateway component, threat actors created a pathway for further exploitation, allowing them to manipulate systems without detection.
The group manipulated the system's data backup mechanism and timed its actions during upgrades to secretly embed the malicious code into the updated system.
Threat actors also attempted to persist through factory resets by analyzing the hardware of the appliance and then modifying the factory reset process.
"UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets," Mandiant said. The cybersecurity firm anticipates UNC5325 and other Chinese espionage actors will persistently use zero-day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.
*Correction Feb. 29, 2024 15:18 UTC: This story has been corrected throughout to reflect that threat actor attempts to maintain persistence through factor resets, system upgrades and patches have not been successful to date.