At least two different suspected cyber espionage clusters linked to China, identified as UNC5325 AND UNC3886were attributed to the exploitation of security flaws in Ivanti Connect Secure VPN equipment.
UNC5325 abused CVE-2024-21893 to deliver a broad range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as maintaining persistent access to compromised appliances, Mandiant said.
The Google-owned threat intelligence firm assessed with moderate certainty that UNC5325 is associated with UNC3886 due to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with the malware used by the latter.
It is worth pointing out that UNC3886 has a proven track record of exploiting zero-day defects in Fortinet and VMware solutions to implement a variety of implants such as VIRTUALPITA, VIRTUALPIE, THINCRUST and CASTLETAP.
“UNC3886 primarily targeted defense industrial base, technology, and telecommunications organizations located in the United States and [Asia-Pacific] regions,” Mandiant researchers said.
Active exploitation of CVE-2024-21893 – a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA – by UNC5325 is said to have occurred as early as January 19 , 2024, aimed at a limited number of devices.
The attack chain involves combining CVE-2024-21893 with a previously disclosed command injection vulnerability tracked as CVE-2024-21887 to gain unauthorized access to sensitive appliances, ultimately leading to the implementation of a new version of BUSHWALK.
Some cases also involved the misuse of legitimate Ivanti components, such as SparkGateway plugins, to drop additional payloads. This includes the PITFUEL plugin to load a malicious shared object codenamed LITTLELAMB.WOOLTEA, equipped with functionality to persist during system update events, patches, and factory resets.
It also functions as a backdoor that supports command execution, file management, shell creation, SOCKS proxying, and network traffic tunneling.
Another malicious SparkGateway plugin named PITDOG is also observed injecting a shared object known as PITHOOK to persistently run an implant named PITSTOP designed for executing shell commands, writing and reading files on the compromised appliance.
Mandiant described the threat actor as having demonstrated a “nuanced understanding of the aircraft and its ability to subvert detection during this campaign” and using life-above-ground (LotL) techniques to fly under the radar.
The cybersecurity firm said it expects “UNC5325 and other China-linked espionage actors to continue to exploit zero-day vulnerabilities on network edge devices, as well as device-specific malware to gain and maintain access to target environments”.
Links found between Volt Typhoon and UTA0178
The disclosure comes as industrial cybersecurity firm Dragos attributed China-sponsored Volt Typhoon (aka Voltzite) to reconnaissance and enumeration activities targeting numerous power companies, emergency services, telecommunications providers, defense industrial bases and satellite services with based in the United States.
“Voltzite’s actions against U.S. electric, telecommunications, and GIS entities represent clear targets to identify vulnerabilities within the country’s critical infrastructure that may be exploited in the future with destructive or disruptive cyberattacks,” he said.
Since then, Volt Typhoon’s victim footprint has expanded to include African electricity transmission and distribution providers, with evidence linking the adversary to UTA0178, a threat activity cluster linked to zero-day exploitation of Ivanti flaws Connect Secure in early December 2023.
The cyber espionage actor, which relies heavily on LotL methods to evade detection, joins two other new groups, namely Gananite and Laurionite, which came to light in 2023, conducting long-term reconnaissance and computer theft operations intellectual property against critical infrastructure and government entities.
“Voltzite uses minimal tools and prefers to conduct its operations in the smallest footprint possible,” Dragos explained. “Voltzite has a strong focus on evasion of detection and long-term persistent access with the assessed intent of long-term espionage and data exfiltration.”