Multiple Chinese threat actors have been linked to zero-day exploitation of three security flaws affecting Ivanti equipment (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
The clusters are tracked by Mandiant under the nicknames UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation madness is UNC3886.
The Google Cloud subsidiary said it also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, possibly in an attempt to conduct cryptocurrency mining operations.
“UNC5266 partially overlaps with UNC3569, a Chinese-linked espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments” , Mandiant researchers said.
The threat actor has been linked to post-exploitation activities that led to the implementation of the Sliver command and control (C2) framework, a variant of the WARPWIRE credential stealer, and a new Go-based backdoor called TERRIBLETEA that is provided with command execution, keylogging, port scanning, file system interaction, and screen capture functions.
UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN equipment since at least February 2024, leveraged custom malware such as TONERJAM and PHANTOMNET to facilitate post-compromise actions –
- GHOST – A modular backdoor that communicates using a custom communications protocol over TCP and uses a plugin-based system to download and execute additional payloads
- TONER – A launcher designed to decrypt and run PHANTOMNET
In addition to using Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence, UNC5330 is known to compromise LDAP binding accounts configured on infected devices to log in as a domain administrator.
Another known China-linked espionage actor is UNC5337, which is said to have infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four components distinct ones that work in tandem to function as a stealthy and persistent backdoor –
- SPAWNSNAIL – A passive backdoor that listens on localhost and is equipped to launch an interactive bash shell and to launch SPAWNSLOTH
- SPAWNMOLE – A tunneling utility that can direct malicious traffic to a specific host while passing benign, unmodified traffic to the Connect Secure web server
- They are generated – An installer responsible for ensuring the persistence of SPAWNMOLE and SPAWNSNAIL by leveraging a coreboot installation function
- SPAWNSLOTH – A log tampering program that disables logging and forwarding of logs to an external syslog server when the SPAWNSNAIL implant is running
Mandiant assessed medium certainty that UNC5337 and UNC5221 constitute the same threat group, noting that the SPAWN tool is “designed to enable long-term access and avoid detection.”
UNC5221, which was previously attributed to web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, also released a Perl-based web shell named ROOTROT embedded in a legitimate Connect Secure .ttc file located in “/data/runtime /tmp/tt /setcookie.thtml.ttc” exploiting CVE-2023-46805 and CVE-2024-21887.
A successful web shell deployment is followed by a network reconnaissance and lateral move, which in some cases leads to the compromise of a vCenter server in the victim’s network via a Golang backdoor called BRICKSTORM.
“BRICKSTORM is a Go backdoor targeting VMware vCenter servers,” Mandiant researchers explained. “It supports the ability to configure itself as a web server, perform file system and directory manipulations, perform file operations such as upload/download, execute shell commands, and perform SOCKS forwarding.”
The latest of the five China-based groups linked to the abuse of Ivanti security flaws is UNC5291, which Mandiant says likely has ties to another hacking group UNC3236 (also known as Volt Typhoon), primarily due to its attack to academic, energy, defense and security environments. healthcare sectors.
“Activity for this cluster began in December 2023 focusing on Citrix Netscaler ADC and then focused on Ivanti Connect Secure devices after details were made public in mid-January 2024,” the company said.
The findings once again highlight the threat faced by edge devices, with espionage actors using a combination of zero-day flaws, open source tools and custom backdoors to tailor their business activity depending on their objectives to evade detection for long periods of time.