A Chinese spy group is on the verge of developing malware that can persist on Ivanti edge devices even after patches, updates and factory resets.
When it rains it pours, and for Ivanti customers it has been raining for months now. In the time that has passed since the company disclosed two high-risk vulnerabilities affecting its Connect Secure, Policy Secure, and Zero Trust Access (ZTA) gateways (at that point, more than five weeks after the first exploits recorded in the wild), two more bugs appeared, and then a fifth. Attackers took advantage of this to such an extent that, at least within the US government, agencies were ordered to cut the cable completely Ivanti products.
The once-delayed patches finally started rolling out in late January, but affected customers aren’t out of the woods yet. Research published by Mandiant this week indicates that high-level Chinese hackers continue to exploit Ivanti to the fullest, developing new and more advanced methods of intrusion, stealth and persistence.
One group, which Mandiant tracks as UNC5325 — and associated with UNC3886 – has used Living-off-the-land (LotL) techniques to bypass customer defenses, and is one step away from developing malware that can persist on compromised devices despite patches or even full restores.
UNC5325 Increases threat to Ivanti
The measures Ivanti took were simply not enough to stop his attackers.
UNC5325 carried out attacks between January and February, bypassing the company’s mitigation measures by exploiting a server-side request forgery (SSRF) vulnerability in the Security Assertion Markup Language (SAML) component of its devices. CVE-2024-21893, as it was later labeled, scored a “high” score of 8.2 out of 10 on the CVSS scale, and the group was observed linking it with Ivanti’s previous command injection vulnerability, CVE-2024- 21887.
With this continuous window into vulnerable devices, the group carried out reconnaissance against its targets, changed device settings to hide its activity, used open source tools such as interactsh AND Kubo injectorand implemented a set of custom backdoors: LittleLamb. WoolTea, PitStop, Pitdog, PitJet and PitHook.
Some of these tools and measures turned out to be particularly clever, such as the stealth mechanisms built into Bushwalk, a Perl-based UNC5325 web shell embedded in a legitimate component of Ivanti Secure Connect. It was first discovered in the wild hours after the initial disclosure of CVE-2024-21893.
To hide Bushwalk, hackers place it in a folder excluded from the device’s Integrity Checker Tool (ICT) and modify a Perl module that allows them to enable or disable it depending on the user agent of the incoming HTTP request. The latter measure allows them to take advantage of a slight discrepancy in ICT.
“The internal ICT is configured to run at two-hour intervals by default and is meant to run in conjunction with continuous monitoring. Any malicious file system changes made and reverted between the two-hour scan intervals would remain undetected by the “ICT. When the activation and deactivation routines are tactfully performed in rapid succession, this can minimize the risk of ICT detection by timing the activation routine to coincide exactly with the intended use of the BUSHWALK webshell,” they explained the authors.
Next persistence mechanisms
The biggest specter threatening Ivanti customers is the latest persistence experiments of the UNC5325.
In rare cases following the CVE-2024-21893 exploitation, the group attempted to weaponize a legitimate Connect Secure component called “SparkGateway.” SparkGateway enables remote access protocols via a browser and, importantly, its functionality can be extended via plug-ins.
In this case, malicious plugins. Pitfuel, for example, is a SparkGateway plugin that the group uses to load the LittleLamb.WoolTea shared object, whose job is to implement backdoors. LittleLamb.WoolTea demonizes itself to run consistently in the background of your device and contains multiple features and components designed to enable persistence through system updates, patches, and factory resets.
So far, the malware fails to achieve this due to a simple encryption key mismatch error.
As Chinese threat actors continue to demonstrate interest in Ivanti’s vulnerabilities, Mandiant urges customers “to take immediate action to secure protection if they have not already done so.” A new version of the ICT is now available that can help detect these latest attempts at persistence.