A recent report by Mandiant, a leading cybersecurity firm, sheds light on a concerning campaign targeting vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances. Published in early April 2024, the report details the activity of five suspected Chinese espionage groups exploiting these vulnerabilities to gain initial access to targeted systems.

The identified Ivanti vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) pose a significant risk, particularly since Mandiant assesses with moderate confidence that one of the hacking groups, UNC5291, is likely Volt Typhoon, a threat actor known to target the US energy and defense sectors.

Furthermore, the report highlights the presence of financially motivated actors exploiting the same vulnerabilities, potentially for crypto-mining or other malicious activities. This broadens the threat landscape and underscores the urgency of addressing these vulnerabilities. Mandiant’s investigation identified a total of eight distinct hacking clusters involved in exploiting these Ivanti weaknesses, highlighting the widespread nature of this campaign.

These findings come on the heels of an urgent warning issued by Five Eyes countries in late February 2024 regarding the exploitation of these Ivanti vulnerabilities, which were publicly disclosed earlier in the year. Fortunately, patches are readily available for all supported versions of Ivanti Connect Secure affected by these vulnerabilities as of April 3, 2024.

The report emphasizes the importance of prioritizing these patches and urges organizations to implement them without delay. Additionally, Mandiant recommends utilizing Ivanti’s new external integrity checker tool (ICT), released in April 2024, to detect potential attempts by attackers to maintain persistence on compromised systems, even after a system reset or upgrade.

Beyond Initial Compromise: Stealthy Lateral Movement

Mandiant’s investigation delves deeper, revealing that the Chinese hacking groups are leveraging custom malware specifically designed for stealthy lateral movement following the initial compromise of Ivanti appliances. This ability to move laterally within a network allows attackers to expand their reach and access more sensitive systems and data.

One such malware family, dubbed SPAWN, consists of four components working in concert to establish a persistent backdoor on the infected system. 

SPAWN includes the following

1.  Tools for installation (SPAWNANT), 
2. Tunneling (SPAWNMOLE),
3. Backdoor access (SPAWNSNAIL), and 
4. Log tampering (SPAWNSLOTH). 

This comprehensive toolkit allows attackers to establish a foothold, maintain access, and evade detection.

The report also details a novel web shell named ROOTROT. This Perl-based web shell, embedded within a legitimate system file, allows attackers to execute commands on the compromised appliance. Interestingly, the presence of ROOTROT suggests a targeted attack, as it was likely created before the public disclosure of the Ivanti vulnerabilities in January 2024. This pre-dating of the vulnerabilities further emphasizes the potential for sophisticated threat actors to develop custom tools for specific targets.

Following initial compromise and lateral movement within the network, attackers have been deploying additional tools to solidify their presence and expand their capabilities. These include:

• BRICKSTORM backdoor: Designed to target VMware vCenter servers, enabling a range of malicious activities.
• SLIVER command-and-control framework: Provides attackers with persistent control over compromised systems.
• TERRIBLE TEA backdoor: A Go-based backdoor capable of file system manipulation, keystroke logging, and various other malicious actions.

Exploiting Active Directory for Privilege Escalation

The report also explores a concerning technique used by UNC5330, another suspected Chinese group. This group combined the Ivanti vulnerabilities (CVE-2024-21893 and CVE-2024-21887) to gain initial access and then abused a vulnerable Windows Certificate Template to obtain domain administrator credentials. These stolen credentials, granting high-level access within the network, allowed the attackers to move laterally with greater ease and potentially compromise critical systems.

Mitigating the Threat Landscape

Mandiant’s findings underscore the critical need for organizations to prioritize patching Ivanti vulnerabilities and implementing robust security measures to defend against evolving cyber threats. This includes:

• Staying informed about the latest threats and vulnerabilities
• Promptly patching known vulnerabilities in critical systems like Ivanti security appliances
• Utilizing advanced detection and monitoring tools to identify and mitigate malicious activity
• Implementing segmentation strategies to limit the potential impact of a breach

By following these recommendations and remaining vigilant, organizations can significantly bolster their defenses against sophisticated cyberattacks like the one detailed in Mandiant’s report.