Chinese threat actors have continued to exploit recent Ivanti Connect Secure VPN vulnerabilities, using new malware to achieve persistence, Mandiant reports.
The flaws were addressed on January 31, roughly three weeks after Volexity warned that Chinese threat actors were seen exploiting two of them as zero-days for initial access.
Roughly one week later, Ivanti patched a fifth vulnerability in its enterprise VPN and network access products. Proof-of-concept (PoC) code was published within days and attackers immediately started exploiting it.
Following the patch rollout, attackers continued to exploit one of them, tracked as CVE-2024-21893 and described as a server-side request forgery (SSRF) vulnerability in the SAML component in Ivanti’s enterprise VPN and network access appliances.
The issue is, in fact, a bypass for the mitigations Ivanti announced in early January, when the first two zero-days were disclosed.
According to Mandiant, a Chinese threat actor tracked as UNC5325 has been observed exploiting CVE-2024-21893 to deploy new malware families such as LittleLamb.WoolTea, PitStop, Pitdog, PitJet, and PitHook.
Based on code overlaps, UNC5325 appears linked to UNC3886, a Chinese cyberespionage group previously observed exploiting vulnerable VMware products to compromise victim networks.
“UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the US and APJ regions. We are continuing to gather evidence and identify overlaps between UNC3886 and other suspected Chinese espionage groups,” Mandiant notes.
UNC5325, the cybersecurity firm notes, has been observed chaining CVE-2024-21893 and CVE-2024-21887 (a command injection in Ivanti’s products). Following initial access, the attackers performed reconnaissance and established a reverse shell.
Mandiant observed the attackers deploying a variant of a web shell named BushWalk that enabled them to read arbitrary files from the appliance, as well as employing modified open source tools and built-in Ivanti system utilities to evade detection, demonstrating “a nuanced understanding of the appliance”.
In some instances, the attackers used SparkGateway plugins to deploy backdoors and persistently inject shared objects. SparkGateway is a legitimate component of Ivanti’s VPN appliance that provides remote access over the browser.
One such SparkGateway plugin, named PitFuel, was seen loading the shared object LittleLamb.WoolTea to deploy backdoors and persist across system updates, patches, and even factory resets. The persistence attempts, however, failed.
“Because the appliance had undergone at least one update since its initial deployment, the malware failed to persist through the factory reset as the encryption key of the factory reset kernel and the running version kernel were different,” Mandiant notes.
A second malicious SparkGateway plugin, dubbed PitDog, was seen injecting the shared object PitHook into memory and persistently executing the backdoor named PitStop, which can execute shell commands and read and write files on the compromised appliance.
“UNC5325’s TTPs and malware deployment showcase the capabilities that suspected China-nexus espionage actors have continued to leverage against edge infrastructure in conjunction with zero days. Similar to UNC4841’s familiarity with Barracuda ESGs, UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets,” Mandiant concludes.
Related: Malware Used in Ivanti Zero-Day Attacks Shows Hackers Preparing for Patch Rollout
Related: CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products
Related: Ivanti Vulnerability Exploited to Deliver New ‘DSLog’ Backdoor