Dive Brief:
- The threat actor behind the monthlong exploitation of Ivanti Connect Secure VPN is conducting an espionage campaign using custom malware with the goal of maintaining continued access to the appliances, according to research released Thursday by Google Cloud’s Mandiant unit.
- Multiple suspected APT actors have used similar methods with appliance-specific malware in order to engage in post-exploitation threat activity and evade detection. However, Mandiant researchers said, at the moment, this exact activity is not linked to a known actor and they don’t have enough information yet to pinpoint the origin.
- Mandiant also observed specific attacks against organizations dating back to early December. When combined with the attacks Volexity already observed, there are about 10 known victims thus far. Ivanti said it is aware of less than 20 victims.
Dive Insight:
The unidentified threat actor has been exploiting two vulnerabilities in Ivanti Connect Secure VPN appliances since early December. When chained together, the vulnerabilities allow unauthenticated attackers to execute remote code and take over devices.
An authentication bypass vulnerability, tracked as CVE-2023-46805, and a command injection vulnerability, tracked as CVE-2024-21887, have CVSS scores of 8.2 and 9.1, respectively.
There are more than 17,100 exposed instances worldwide, according to data from Shadowserver.
Thus far, the attackers have downloaded remote files, stolen configuration data and modified existing files, according to Volexity.
The hackers are leveraging compromised, out-of-support Cyberoam VPN devices for command and control. Sophos, the parent of Cyberoam Technologies, said the devices have been end-of-life since March 31, 2021, and users need to upgrade their devices and firmware.
The threat group is using multiple custom malware families, as well as the PySoxy tunneller and BusyBox, for post-exploitation work, according to Mandiant.
The custom malware includes:
- Thinspool: a dropper written in shell script, which is used to write the Lightwire web shell and attempts — but fails — to evade the Ivanti integrity checker.
- Lightwire: a web shell written in Perl CGI and embedded into a legitimate Secure Connect file, enabling arbitrary command execution.
- Wirefire: a web shell written in Python and supports downloading to a compromised device and executing arbitrary commands.
- Warpwire: a credential harvester written in Javascript.
- Zipline: a passive backdoor.
Mandiant is urging organizations to run an integrity checker from Ivanti to determine whether they have been already compromised and also run mitigation steps suggested by the company.
“The known zero-day exploitation was performed by a single threat group, but it’s probable that other threat actors will be able to develop exploit code and exploit it for a variety of motivations,” Charles Carmikal, CTO at Mandiant Consulting, Google Cloud, said via email.
Ivanti is consulting with Mandiant and government officials on mitigation steps and to develop an initial version of a patch, which will not be ready until the week of Jan. 22. The final version will roll out the week of Feb. 19.