Google-owned Mandiant said it identified new malware employed by a Chinese-nexed spy threat actor known as UNC5221 and other threat groups during post-exploitation activity against Ivanti Connect Secure VPN and Policy devices Secure.
This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE.
“CHAINLINE is a Python web shell backdoor embedded in an Ivanti Connect Secure Python package that allows execution of arbitrary commands,” the company said, attributing it to UNC5221, adding that it also detected several new versions of WARPWIRE, a credential stealer based on JavaScript. .
The infection chains result in successful exploitation of CVE-2023-46805 and CVE-2024-21887, which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges.
The flaws have been exploited as zero-days since the beginning of December 2023. Germany’s Federal Office for Cyber Security (BSI) said it was aware of “multiple compromised systems” in the country.
BUSHWALK, written in Perl and distributed by evading mitigations issued by Ivanti in highly targeted attacks, is embedded in a legitimate Connect Secure file called “querymanifest.cgi” and offers the ability to read or write files on a server.
On the other hand, FRAMESTING is a Python web shell embedded in an Ivanti Connect Secure Python package (located in the following path “/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/ cav/api/resources/category.py”) which allows arbitrary execution of commands.
Mandiant’s analysis of the ZIPLINE passive backdoor also discovered the use of “extended functionality to ensure authentication of its custom protocol used to establish command and control (C2).”
Additionally, the attacks are characterized by the use of open source utilities such as Impacket, CrackMapExec, Iodine, and Enum4linux to support post-exploitation activity on Ivanti CS equipment, including network reconnaissance, lateral movement, and data exfiltration. inside the victims’ environments.
Ivanti has since disclosed two more security flaws, CVE-2024-21888 and CVE-2024-21893, the latter of which was actively exploited by targeting a “limited number of customers.” The company also released the first set of fixes to address the four vulnerabilities.
UNC5221 is said to target a wide range of sectors of strategic interest to China, with its infrastructure and tools overlapping with past intrusions linked to China-based espionage actors.
“The Linux-based tools identified in the incident response investigations use code from multiple Chinese-language Github repositories,” Mandiant said. “UNC5221 extensively exploited TTPs associated with zero-day exploitation of edge infrastructure by alleged PRC nexus actors.”