Cyber Security News

Multiple Chinese Hacking Groups Exploiting Ivanti Connect Secure VPN Flaw

Cybersecurity firm Mandiant has uncovered a series of sophisticated cyberattacks targeting Ivanti Connect Secure VPN appliances.

These attacks, attributed to multiple Chinese nexus espionage groups, exploit critical vulnerabilities to facilitate lateral movement and compromise Active Directory systems.

This article delves into the intricate details of the CVEs involved, the clustering and attribution of these attacks, the deployment of new TTPs and malware, and the implications of such breaches.

CVEs: The Gateway to Exploitation

The initial disclosure of CVE-2023-46805 and CVE-2024-21887 on January 10, 2024, marked the beginning of a series of incident response engagements by Mandiant.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

These vulnerabilities, an authentication bypass and a command injection flaw, have been the focal points of exploitation attempts by suspected Chinese nexus espionage actors.

The exploitation of these vulnerabilities underscores the critical need for timely patching and the application of appropriate mitigations.

As per the latest report by Google, several Chinese hacking groups are currently leveraging the vulnerability in Ivanti Connect Secure VPN to carry out their malicious activities.

Clustering and Attribution

Mandiant’s investigations have led to the clustering of these cyberattacks under the activities of two primary groups: UNC5325 and UNC5337.

Both groups are suspected of having ties to China and using the CVEs above to compromise Ivanti Connect Secure VPN appliances.

The attribution to these groups is based on deploying custom malware families and evolving their tactics, techniques, and procedures (TTPs) to exploit appliance-specific functionalities.

New TTPs and Malware

The evolution of attacker methodologies has been evident in deploying new TTPs and malware.

UNC5337, in particular, has been observed leveraging multiple custom malware families, including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility.

These tools facilitate the persistence and lateral movement within compromised networks, showcasing the sophistication of these threat actors.

SPAWN Malware Family

The SPAWN malware family represents a significant advancement in the arsenal of these espionage groups.

PAWN malware family diagram

Each family component serves a unique purpose, from establishing backdoor access to facilitating network tunneling and tampering with logs to evade detection.

The deployment of these tools highlights the attackers’ strategic planning and technical prowess.

While the focus has been on exploiting Ivanti Connect Secure VPN appliances, Mandiant has also identified a campaign dubbed BRICKSTORM.

This campaign leverages similar tactics and malware to target other critical infrastructures, indicating a broader threat landscape and the adaptability of these espionage groups.

Lateral Movement Leading to Active Directory Compromise

One of the most concerning aspects of these attacks is the threat actors’ ability to leverage lateral movement techniques to compromise Active Directory systems.

UNC5330 attack path diagram

This not only allows for the escalation of privileges but also facilitates the exfiltration of sensitive information and the deployment of additional payloads across the network.

Multiple Chinese nexus espionage groups exploit Ivanti Connect Secure VPN flaws, representing a significant threat to global cybersecurity.

The deployment of new TTPs and malware, coupled with the ability to compromise critical systems, underscores the need for vigilant cybersecurity practices and the timely application of patches and mitigations.

As these threat actors evolve their strategies, the cybersecurity community must remain proactive in its defense measures to protect against such sophisticated attacks.

Indicators of Compromise (IOCs)

Host-Based Indicators (HBIs)

libdsproxy. soMD5Description
data.dat9d684815bc96508b99e6302e253bc292PHANTOMNET
epdevmgr.dllb210a9a9f3587894e5a0f225b3a6519fTONERJAM
libdsmeeting.so4f79c70cce4207d0ad57a339a9c7f43cSPAWNMOLE
libdsmeeting.soe7d24813535f74187db31d4114f607a1SPAWNSNAIL
.liblogblock.so4acfc5df7f24c2354384f7449280d9e0 SPAWNSLOTH
.dskey3ef30bc3a7e4f5251d8c6e1d3825612dSPAWNSNAIL private key
N/Abb3b286f88728060c80ea65993576ef8TERRIBLETEA
N/Acfca610934b271c26437c4ce891bad00TERRIBLETEA
N/A08a817e0ae51a7b4a44bc6717143f9c2TERRIBLETEA
linb64.pnge7fdbed34f99c05bb5861910ca4cc994SLIVER
lint64.pngc251afe252744116219f885980f2caeaSLIVER
linb64.png4f68862d3170abd510acd5c500e43548SLIVER
lint64.png9d0b6276cbc4c8b63c269e1ddc145008SLIVER
logd71b4368ef2d91d49820c5b91f33179cbSLIVER
winb64.pngd88bbed726d79124535e8f4d7de5592eSLIVER
logd.spec.cfg846369b3a3d4536008a6e1b92ed09549SLIVER persistence
N/A8e429d919e7585de33ea9d7bb29bc86bSLIVER downloader
N/Afc1a8f73010f401d6e95a42889f99028PHANTOMNET
N/Ae72efc0753e6386fbca0a500836a566ePHANTOMNET
N/A4645f2f6800bc654d5fa812237896b00BRICKSTORM
Table 4: Host-based indicators

Network-Based Indicators (NBIs)

Network IndicatorTypeDescription
8.218.240[.]85IPv4Post-exploitation activity
98.142.138[.]21IPv4Post-exploitation activity
103.13.28[.]40IPv4Post-exploitation activity
103.27.110[.]83IPv4Post-exploitation activity
103.73.66[.]37IPv4Post-exploitation activity
193.149.129[.]191IPv4Post-exploitation activity
206.188.196[.]199IPv4Post-exploitation activity
oast[.]funDomainPre-exploitation validation
cpanel.netbar[.]orgDomainWARPWIRE Variant C2 server
pan.xj[.]hkDomainPost-exploitation activity
akapush.us[.]toDomainSLIVER C2 server
opra1.oprawh.workers.devDomainBRICKSTORM C2 server
Table 5: Network-based indicators

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Dhivya

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

37 mins ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

42 mins ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

3 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

5 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

9 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

23 hours ago