Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Chinese APT Developing Exploits to Defeat Already Patched Ivanti Users

More bad news for Ivanti customers: soon, even if you've patched, you still might not be safe from relentless attacks from high-level Chinese threat actors.

6 Min Read
Ivanti logo on a wall
Source: Alexander Tolstykh via Shutterstock

A Chinese espionage group is on the verge of developing malware that can persist in Ivanti edge devices even after patches, upgrades, and factory resets.

When it rains it pours, and for Ivanti customers it's been raining for months now. In the time since the company revealed two high-risk vulnerabilities affecting its Connect Secure, Policy Secure, and Zero Trust Access (ZTA) gateways (at that point, more than five weeks after early recorded exploits in the wild), two more bugs cropped up, and then a fifth. Attackers have taken advantage to such an extent that, within the US government at least, agencies were ordered to take Ivanti's products out of production in order to look for signs of compromise, before performing a factory reset and patching and putting the appliance back into production.

Once-delayed patches finally began to roll out in late January, but affected customers are not out of the woods yet. Research published by Mandiant this week indicates that high-level Chinese hackers are continuing to juice Ivanti for all it's worth, developing new and more advanced methods of intrusion, stealth, and persistence.

One group, which Mandiant tracks as UNC5325 — and whichassociates with UNC3886 — has been using living-off-the-land (LotL) techniques to skirt past customers' defenses, and researchers say it's only a hair's breadth away from developing malware capable of persisting in compromised devices despite patches, or even full resets. 

Upcoming Persistence Mechanisms

UNC5325's latest experiments with persistence raise a concerning specter, according to Mandiant.

In rare instances following CVE-2024-21893 exploitation, the group has attempted to weaponize a legitimate component of Connect Secure called "SparkGateway," the researchers found. SparkGateway enables remote access protocols over a browser and, importantly, its functionality can be extended through plugins.

In this case, malicious plugins. Pitfuel, for example, is a SparkGateway plugin that the group uses to load the shared object LittleLamb.WoolTea, whose job is to deploy backdoors. LittleLamb.WoolTea daemonizes itself in order to run consistently in the background of the device, and contains multiple functions and components designed to enable persistence across system upgrades, patches, and factory resets.

As yet, the malware does not achieve this. Mandiant found that this is due to a simple error mismatching encryption keys, so it's likely only a matter of time before they get it right.

"We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat," an Ivanti spokesperson tells Dark Reading. "To be clear, the 29 February advisory does not contain information on a new vulnerability, and Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti."

 The person added, "Ivanti, Mandiant, CISA and the other JCSA authoring organizations continue to recommend that defenders apply available patching guidance provided by Ivanti if they haven’t done so already, and run Ivanti’s updated Integrity Checker Tool (ICT), released on 27 February, to help detect known attack vectors, alongside continuous monitoring. "

UNC5325 Ups the Threat to Ivanti

Mandiant also elaborated on how UNC5325 was carrying out attacks throughout January and February, bypassing the company's mitigations by taking advantage of a server-side request forgery (SSRF) vulnerability in the Security Assertion Markup Language (SAML) component of its appliances. CVE-2024-21893, as it was later labeled, earned a "high" 8.2 out of 10 score on the CVSS scale, and the group was observed chaining it with Ivanti's prior command injection vulnerability, CVE-2024-21887.

With this continued window into vulnerable appliances, the group performed reconnaissance against its targets, modified appliance settings to conceal its activity, used open source tools like interactsh and Kubo Injector, and deployed a series of custom backdoors: LittleLamb. WoolTea, PitStop, Pitdog, PitJet, and PitHook.

Some of these tools and measures have been particularly clever, like the stealth mechanisms built into Bushwalk, a Perl-based Web shell UNC5325 that embeds in a legitimate component of Ivanti Secure Connect. It was first discovered in the wild just hours after the initial disclosure of CVE-2024-21893.

To conceal Bushwalk, the hackers place it in a folder excluded by the device's Integrity Checker Tool (ICT), and modify a Perl module which enables them to activate or deactivate it depending on the incoming HTTP request's user agent. This latter measure allows them to take advantage of a minor discrepancy in the ICT.

"The internal ICT is configured to run in two-hour intervals by default and is meant to be run in conjunction with continuous monitoring. Any malicious file system modifications made and reverted between the two-hour scan intervals would remain undetected by the ICT. When the activation and deactivation routines are performed tactfully in quick succession, it can minimize the risk of ICT detection by timing the activation routine to coincide precisely with the intended use of the BUSHWALK webshell," the authors explained.

Ivanti Updates Integrity Checker Tool

Because Chinese threat actors continue to demonstrate interest in Ivanti vulnerabilities, Mandiant is urging customers "to take immediate action to ensure protection if they haven't done so already."

While prior attacks were able to get past detection, Ivanti has released a new version of the ICT for its VPNs can help detect these latest persistence attempts.

"The ICT is not intended to be a magic bullet – it is one important and informative security tool in their arsenal, as a complement to other tools," Ivanti said in its update earlier this week. "It is designed to provide a snapshot of the current state of the appliance when the scan takes place and cannot necessarily detect threat actor activity if the appliance has been returned to a clean state. Other security tools should be used to monitor for changes made between scans as well as malware and other indicators of compromise (IoCs)."

 It added, "the ICT focuses specifically on known threat activity that is being deployed by threat actors in the wild. This maximizes meaningful results for customers and minimizes false positives, and has been validated by Mandiant in their blog as an effective tool. We will continue to enhance the ICT to detect known threats based on what we and our partners have seen in the wild."

"We recommend a defense-in-depth approach by layering on other security tools, capabilities, and human resources to assist in real-time detection and response," says Mat Lin, security consultant with Mandiant. He added that in addition to the ICT, Ivanti also provides "log forwarding capabilities that could enable organizations to detect and respond to exploitation attempts in real time when configured properly. This is why layering on continuous monitoring to the tools that Ivanti already provides is so important for their respective customers."


About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights