Skip to main content
close search
site logo
Dive Brief

Ivanti Connect Secure attacks part of deliberate espionage operation

Researchers warn the previously unknown actor has developed custom malware designed to maintain persistent access on targeted networks and evade detection.

Published Jan. 12, 2024
David Jones's headshot
Reporter
Header image for "43% of Audit Executives Rank Cybersecurity Controls as 2023's Lead Risk"
Colin Anderson Productions pty ltd

Dive Brief:

  • The threat actor behind the monthlong exploitation of Ivanti Connect Secure VPN is conducting an espionage campaign using custom malware with the goal of maintaining continued access to the appliances, according to research released Thursday by Google Cloud’s Mandiant unit. 
  • Multiple suspected APT actors have used similar methods with appliance-specific malware in order to engage in post-exploitation threat activity and evade detection. However, Mandiant researchers said, at the moment, this exact activity is not linked to a known actor and they don’t have enough information yet to pinpoint the origin.
  • Mandiant also observed specific attacks against organizations dating back to early December. When combined with the attacks Volexity already observed, there are about 10 known victims thus far. Ivanti said it is aware of less than 20 victims.

Dive Insight:

The unidentified threat actor has been exploiting two vulnerabilities in Ivanti Connect Secure VPN appliances since early December. When chained together, the vulnerabilities allow unauthenticated attackers to execute remote code and take over devices. 

An authentication bypass vulnerability, tracked as CVE-2023-46805, and a command injection vulnerability, tracked as CVE-2024-21887, have CVSS scores of 8.2 and 9.1, respectively. 

There are more than 17,100 exposed instances worldwide, according to data from Shadowserver

Thus far, the attackers have downloaded remote files, stolen configuration data and modified existing files, according to Volexity. 

The hackers are leveraging compromised, out-of-support Cyberoam VPN devices for command and control. Sophos, the parent of Cyberoam Technologies, said the devices have been end-of-life since March 31, 2021, and users need to upgrade their devices and firmware.

The threat group is using multiple custom malware families, as well as the PySoxy tunneller and BusyBox, for post-exploitation work, according to Mandiant. 

The custom malware includes: 

  • Thinspool: a dropper written in shell script, which is used to write the Lightwire web shell and attempts — but fails — to evade the Ivanti integrity checker. 
  • Lightwire: a web shell written in Perl CGI and embedded into a legitimate Secure Connect file, enabling arbitrary command execution. 
  • Wirefire: a web shell written in Python and supports downloading to a compromised device and executing arbitrary commands. 
  • Warpwire: a credential harvester written in Javascript. 
  • Zipline: a passive backdoor. 

Mandiant is urging organizations to run an integrity checker from Ivanti to determine whether they have been already compromised and also run mitigation steps suggested by the company.

“The known zero-day exploitation was performed by a single threat group, but it’s probable that other threat actors will be able to develop exploit code and exploit it for a variety of motivations,” Charles Carmikal, CTO at Mandiant Consulting, Google Cloud, said via email.

Ivanti is consulting with Mandiant and government officials on mitigation steps and to develop an initial version of a patch, which will not be ready until the week of Jan. 22. The final version will roll out the week of Feb. 19. 

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Torus Unveils Integrated Energy Storage and AI-Driven Cybersecurity Solutions
From Torus
October 24, 2024
Abbott Laboratories Employees Credit Union (“ALEC”) Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Clay Platte Family Medicine Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell