HomeLatest UpdatesChinese Group Runs Highly Persistent Ivanti 0-Day Exploits

Chinese Group Runs Highly Persistent Ivanti 0-Day Exploits

Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime
Next-Generation Technologies & Secure Development

UNC5325 Can Remain in Hacked Devices Despite Factory Reset and Patches

Chinese Group Runs Highly Persistent Ivanti 0-Day Exploits
Image: Shutterstock

Chinese threat actors are continuing to persist after exploiting the recent Ivanti Connect Secure VPN vulnerability even after factory resets, system upgrades and patches. The threat actor, UNC5325, is adept at “living off the land” techniques, warned threat intelligence firm Mandiant.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Mandiant published a report explaining how UNC5325 is using novel malware such as LittleLamb.WooLTea to maintain persistence.

Ivanti has disclosed a set of five vulnerabilities seen since Jan. 10, including CVE-2024-21893, a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA appliances. The bug, exploited by UNC5325, allows attackers to access certain restricted resources without authentication, according to Ivanti.

Mandiant drew connections between operators UNC5325 and UNC3886, citing overlaps in tactics, techniques and procedures. UNC3886 is a suspected Chinese espionage operator that also uses these vulnerabilities to primarily target the defense industrial base, technology and telecommunication organizations located in the U.S. and Asia-Pacific region.

Mandiant said the attackers deployed a nuanced variant of the BushWalk web shell to read arbitrary files and subvert detection through creative modifications.

Attackers also abused legitimate components, such as SparkGateway plug-ins, to deploy backdoors, extending their reach within compromised systems. Injecting shared objects into the SparkGateway component, threat actors created a pathway for further exploitation, allowing them to manipulate systems without detection.

The group manipulated the system’s data backup mechanism and timed its actions during upgrades to secretly embed the malicious code into the updated system.

Threat actors also managed to persist through factory resets by analyzing the hardware of the appliance and then modifying the factory reset process. By renaming critical binaries and leveraging conditions in the reset procedure, attackers ensured that their components are preserved, ready to be reactivated once the reset was completed.

“UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets,” Mandiant said. The cybersecurity firm anticipates UNC5325 and other Chinese espionage actors will persistently use zero-day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.

Source link


Most Popular

Recent Comments