Number of orgs compromised via Ivanti VPN zero-days grows as Mandiant weighs in

Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant’s threat intel team.

The software biz disclosed the vulnerabilities in Ivanti Connect Secure (ICS) – the VPN server appliance previously known as Pulse Connect Secure – and its Policy Secure gateways on Wednesday. At the time the biz said someone or some group had already found and exploited the holes. A spokesperson for Ivanti told The Register the victim count was “less than 10.” It has since increased.

This situation is especially worrisome because neither flaw has a patch — Ivanti hopes to start rolling those out the week of January 22 in a staggered fashion, and, in the meantime urges customers to “immediately” deploy mitigations. And as Mandiant Consulting CTO Charles Carmakal noted: “These CVEs chained together lead to unauthenticated remote code execution.”

That means these flaws can be exploited to seize control of an organization’s Ivanti network appliances and use them to drill into that org’s IT environment. The two zero-days are: CVE-2023-46805, an authentication bypass bug; and CVE-2024-21887, a command injection vulnerability.

As of Friday, Ivanti says it’s “aware of less than 20 customers impacted by the vulnerabilities.”

The list will likely continue to grow, as more organizations … discover their devices are compromised

However, as Carmakal told The Register, this number will likely increase.

“We are learning about new victims as they run Ivanti’s integrity checking tool and are seeing indicators of compromise,” Carmakal said. “The list will likely continue to grow, as more organizations run the tool and discover their devices are compromised.”

Mandiant is working with Ivanti to help clean up the mess, and on Friday weighed in with its own initial analysis, promising to add more details as its investigation into the matter continues.

A couple pieces of the analysis in particular stand out. First, Mandiant says it has identified in-the-wild abuse of the bugs as early as December by a previously unknown suspected espionage team it now tracks as UNC5221.

Earlier probing by Volexity, which discovered the zero-day holes and privately reported them to Ivanti, linked the attackers to China. “Volexity has reason to believe that UTA0178 is a Chinese nation-state-level threat actor,” it said Wednesday.

When asked about a possible China link, Carmakal said there isn’t enough data for attribution.

In looking into the attacks, Mandiant saw that UNC5221 primarily used hijacked end-of-life Cyberoam VPN appliances as command-and-control servers in its attacks on Ivanti customers. “These compromised devices were domestic to the victims, which likely helped the threat actor to better evade detection,” the threat hunters wrote.

Additionally, the intruders used various pieces of bespoke malware to achieve persistence and avoid detection, allowing continued access to victims’ networks.

“This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released,” Mandiant noted.

So far, the threat hunters have identified five custom malware families used by UNC5221 after it infiltrates a target via the Ivanti flaws. One is Zipline, a backdoor that receives commands to execute on compromised devices. It also supports file transfers in and out of infected equipment, can provide a proxy server, and can implement a tunneling server.

Thinspool is designed to add malicious webshell code to legitimate files. This helps the cyber-spies establish persistence on compromised networks. It acts as the initial dropper for the Lightwire webshell. Yet another webshell, Wirefire, is stashed within Connect Secure appliances for remote control of the devices. It supports downloading files and executing arbitrary commands.

Finally, for now, anyway, there’s Warpwire, a credential harvester that collects passwords and usernames to layer 7 applications (such as RDP) in plain text, and sends them off to a command-and-control server for the snoops to use to gain further access to victims’ services and systems.

Mandiant has also shared indicators of compromise, so it’s worth checking those out, too. And, of course, apply the mitigation before taking off for the weekend. ®

READ MORE HERE