CISA, Mandiant Warn of a Worsening Situation for Ivanti Users
The federal government and cybersecurity teams are warning organizations that threat groups are exploiting multiple flaws in Ivanti’s VPN appliances despite the vendor’s Integrity Checking Tool (ICT) and even after factory resets.
An advisory issued by the FBI, CISA, and international members of the Five Eyes intelligence alliance came days after Google’s Mandiant team wrote in a report that at least two China-linked threat groups are making “mass attempts” at exploiting the vulnerabilities and following weeks of reports of other attackers targeting flaws, the first of which were made public in early January.
The CISA advisory ended a difficult month for Ivanti users and promised more struggles in March. In all, Ivanti has disclosed five vulnerabilities, starting January 10 with two, CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection).
Two more – CVE-2024-21888 (privileged escalation) and CVE-2024-21893 (server-side request forgery, or SSRF) – were published January 31, and a fifth, CVE-2024-22024 (XML external entity, or XXE) February 8. Each has severity ratings between 8.2 and 9.1, out of 10.
Attacks Continue
Hackers are exploiting several vulnerabilities in Ivanti’s Connect Secure and Policy Secure gateways, which affect all supported versions “and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges,” CISA wrote in the advisory.
In addition, the agency noted that while responding to multiple Ivanti-related incidents, its researchers found that the internal and previous external ICT – an enhanced version was released February 27 – didn’t detect compromise. In addition, CISA ran its own research in a lab and validated Ivanti’s ICT “is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.”
That said, among CISA’s recommendations to organizations running the Ivanti products – including assuming that credentials have been compromised and hunt for malicious activities on their networks using the indicators of compromise (IOCs) listed by the agencies – was to use the new external ICT.
Ivanti Updates Its ICT
In its updated advisory, Ivanti said the problems with ICT outlined were seen in the agency’s lab and “has not been observed by CISA, Ivanti or Mandiant in the wild, and based on the evidence presented and further analysis by our team, we believe that if a threat actor were to attempt this remotely they would lose connection to Ivanti Connect Secure, and not gain persistence in a live customer environment.”
In addition, organizations that patched the flaws, ran a factory reset of the hardware, or deployed a new build would not be at risk from the activity outlined in CISA’s report, the vendor said.
Based on observations and industry reports, the Five Eyes group wrote that the “safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time.” They noted a report last month that China state-sponsored group Volt Typhoon is hiding in compromised networks of U.S. critical infrastructure firms and waiting to strike.
“The continued targeting of widely used security applications and appliances speaks to the determination of cyber threat actors, with government entities and private organizations alike caught in the crosshairs,” Randy Rose, vice president of security operations and intelligence for the non-profit Center for Internet Security, said in a statement, urging companies to implement controls in such areas as vulnerability and asset management, multifactor authentication, and incident response planning.
Chinese Espionage Groups Move In
In their report this week, researchers with Google-owned Mandiant said they’ve seen China-linked threat group UNC5325 “using a combination of living-off-the-land (LotL) techniques to better evade detection, while deploying novel malware such as LITTLELAMB.WOOLTEA in an attempt to persist across system upgrades, patches, and factory resets.”
Since January 31, the group has begun targeting the SSRF flaw – CVE-2024-21893 – to deploy malware and establish persistent access to compromised systems. That includes new tactics aimed at enabling the custom backdoors to establish the persistence.
Soon after the SSRF vulnerability was disclosed, threat actors began chaining it with the command injections vulnerabilities in CVE-2024-21887.
New Tactics
In its exploitation of the SSRF flaw, UNC5325 has used a number of new tactics, including a new variant of the BushWalk malware with a new function called “checkVersion” to arbitrarily read file from the Ivanti appliance.
“In addition, we have seen the threat actor demonstrate a nuanced understanding of the appliance and their ability to subvert detection throughout this campaign,” the researchers wrote. “We identified a technique allowing BUSHWALK to remain in an undetected dormant state by creatively modifying a Perl module and LotL technique by using built-in system utilities unique to Ivanti products.”
There also has been the use of plugins for SparkGateway – a legitimate component in Ivanti’s Connect Secure system – to persistently injected shared objects and deploy backdoors
LittleLamb.WoolTea is used to try to create persistence across patches, system upgrade, and factory resets.
The limited number of tries to maintain persistence have failed due to an encryption key mismatch, but “it further demonstrates the lengths UNC5325 will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches.”
The group’s tactics and malware also highlight the expertise China-linked espionage gangs have in attacking edge infrastructure in conjunction with zero days, the researchers wrote, noting UNC4841’s similar familiarity with Barracuda Networks’ ESG frameworks.
“Mandiant expects UNC5325 as well as other China-nexus espionage actors to continue to leverage zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments,” they wrote.
Mandiant also identified another Chinese espionage actor, UNC3886, adding that it is trying to find overlaps between the gang and other suspected Chinese spy groups.