New Malware in Exploits Targeting Ivanti Vulnerabilities
Google-owned Mandiant has uncovered a new malware exploiting vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. These malwares have been utilized by several threat groups, including the China-nexus espionage group UNC5221, to execute post-exploitation activities. The new malware variants utilized by these threat actors include the custom web shells named BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE.
CHAINLINE, for instance, is a Python-based web shell embedded within Ivanti Connect Secure Python packages, facilitating arbitrary command execution.
BUSHWALK, written in Perl, evades Ivanti’s mitigations and grants attackers the ability to read or write files on servers.
FRAMESTING functions as a Python web shell integrated into an Ivanti Connect Secure Python package, facilitating the execution of arbitrary commands. It resides within the specified path: “/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py”.
LIGHTWIRE, written in Perl CGI, maintains persistent remote access to compromised devices.
Mandiant’s analysis has revealed the exploitation of Ivanti vulnerabilities: CVE-2023-46805 and CVE-2024-21887, allowing threat actors to execute arbitrary commands with elevated privileges. These flaws have been actively exploited as zero-days since December 2023, leading to compromised systems reported by Germany’s Federal Office for Information Security (BSI).
Further exacerbating the situation, Mandiant has identified the usage of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux to support post-exploitation activities, including network reconnaissance and data exfiltration.
Ivanti has disclosed additional security flaws, including CVE-2024-21888 and CVE-2024-21893, and has released patches to address these vulnerabilities. However, UNC5221 continues to pose a significant threat, targeting various industries of strategic interest to China.
Conclusion
To mitigate the risk posed by these Ivanti vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance urging affected agencies to disconnect Ivanti devices from their networks immediately and apply patches promptly. Additionally, agencies are advised to reset passwords and revoke access tokens to prevent further compromise.
To summarize, the discovery of these vulnerabilities underscores the importance of proactive cybersecurity measures and highlights the ongoing challenges posed by sophisticated threat actors. Vigilance, timely patching, and adherence to cybersecurity best practices are crucial in safeguarding against evolving cyber threats.
The sources for this article include a story from TheHackerNews.