APT Hackers Exploiting Ivanti Connect Secure VPN New Zero-Day Flaw in the Wild

Hackers exploit Zero-Day flaws in VPNs as these vulnerabilities are unknown to the software vendor, making them difficult to patch immediately.

This can be particularly lucrative for the threat actors seeking to exploit the growing reliance on VPNs (Virtual private networks) for secure online communication.

Recently, cybersecurity researchers at Google’s Mandiant discovered that APT hackers are actively exploiting the Ivanti connect secure VPNs’ new zero-day flaw in the wild.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Ivanti Connect Secure VPN New Zero-Day Flaw

Security analysts at Ivanti discovered the following two vulnerabilities affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances:-

Successful exploitation of these vulnerabilities may lead to authentication bypass and command injection that enables network compromise. 

While the zero-day exploitation by UNC5221 began in Dec 2023, Ivanti, with Mandiant, is addressing issues and providing mitigations.

After exploiting the above-mentioned vulnerabilities, UNC5221 used custom malware in CS by trojanizing files. While the PySoxy and BusyBox enabled post-exploitation. 

UNC5221 employed a Perl script (sessionserver.pl) to remount read-only sections by deploying THINSPOOL, a shell script dropper. 

This writes the LIGHTWIRE web shell to a legitimate Connect Secure file, along with other tools.

THINSPOOL is a key tool for Mandiant that ensures persistence and evasion in UNC5221’s attacks. It serves as an initial dropper for the LIGHTWIRE web shell, which helps in post-exploitation. 

LIGHT WIRE and WIREFIRE shells provide lightweight footholds for continued access to CS appliances, suggesting targeted persistence.

Custom Malware Discovered

Here below, we have mentioned all the custom malware that was discovered:-

  • ZIPLINE Passive Backdoor
  • THINSPOOL Dropper
  • LIGHTWIRE Web Shells
  • WIREFIRE Web Shells
  • WARPWIRE Credential Harvester

Security analysts at Mandiant couldn’t recognize the origin of this threat actor due to insufficient data. Besides this, targeting edge infrastructure with zero days is a common tactic, as Mandiant has already seen APT actors using appliance-specific malware.

UNC5221 shows that living on network edges is still an attractive target for spies, as the zero-days, compromised devices, and evading detection are espionage signatures.

As a recommendation cybersecurity experts strongly recommend users immediately apply the available security patches to mitigate threats like this.


IoCs (Source – Mandiant)

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.