In a recent digital espionage campaign, suspected nation-state actors were found to be exploiting two zero-day vulnerabilities in Ivanti Connect Secure virtual private network (VPN) devices (ICS) since early December 2023. Google-owned threat intelligence firm Mandiant has identified those responsible as UNC5221, deploying up to five malware families as part of its post-exploitation activities.
The vulnerabilities in question are an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887). These create an exploit chain that allows threat actors to take control of susceptible instances of ICS VPN network devices. Volexity security researchers attribute the activity to a suspected Chinese espionage actor known as UTA0178, highlighting the sophisticated nature of the attacks.
Cyber attackers have used these vulnerabilities to gain initial access, deploy webshells, establish backdoors to legitimate files, capture credentials and configuration data, and further advance into the victim’s environment. Ivanti reports that the intrusions have affected fewer than 10 customers, indicating a highly targeted campaign.
Patches for the two vulnerabilities, informally called ConnectAround, are expected to be released the week of January 22. Meanwhile, Mandiant analysis has revealed the use of five families of custom malware in these attacks. The UNC52221 threat actor uses various techniques, such as injecting malicious code into legitimate files, using tools such as BusyBox and PySoxy, and employing a Perl script to trace the file system as read/write.
Two webshells, LIGHTWIRE (written in Perl CGI) and WIREFIRE (implemented in Python), serve as lightweight footholds to ensure persistent remote access to compromised devices. Additionally, a JavaScript-based credential stealer called WARPWIRE and a passive backdoor called ZIPLINE, capable of downloading/uploading files, establishing a reverse shell, creating a proxy server, and configuring a tunnel server to send traffic between each other, have been used in the attacks. multiple endpoints.
Mandiant suggests that these are not opportunistic attacks, emphasizing that UNC52221 was intended to maintain its presence on a subset of high-priority targets, even after a patch was released. Although UNC5221 has not been linked to any previously known group or country, the tactics employed, including the use of zero-day vulnerabilities and the use of compromised command and control infrastructure, match the characteristics of an advanced persistent threat (APT). .
The incident highlights the evolving threat landscape, demonstrating that exploiting vulnerabilities in perimeter infrastructure remains a target for espionage actors.