Chinese hackers associated with the UNC5325 group have been working tirelessly to develop a new strain of malware that poses a significant threat to Ivanti edge devices. Despite delayed patches being rolled out in late January, the hackers are persisting in their efforts to exploit vulnerabilities within Ivanti products for their malicious activities.
In recent months, Ivanti has been under siege with a slew of critical zero-day vulnerabilities being uncovered in its Connect Secure, Policy Secure, and Zero Trust Access gateways. These vulnerabilities have provided an opening for attackers, particularly the UNC5325 group, to exploit the systems and carry out attacks with impunity. Mandiant’s research indicates that the Chinese hackers are continuing to refine their methods to infiltrate Ivanti devices and maintain a presence even after patches, upgrades, and resets have been implemented.
UNC5325 has been adept at utilizing living-off-the-land techniques to avoid detection and bypass security defenses. They have exploited vulnerabilities such as the server-side request forgery (SSRF) flaw in Ivanti’s SAML component to gain access to vulnerable appliances. By chaining this vulnerability with previously identified weaknesses like the command injection vulnerability, the group has been able to gain a foothold in compromised devices and carry out reconnaissance on targeted systems.
To further evade detection, the hackers have developed custom backdoors such as LittleLamb, WoolTea, PitStop, Pitdog, PitJet, and PitHook. These tools have been cleverly designed to blend in with legitimate components of Ivanti Secure Connect, making them difficult to detect. For example, Bushwalk, a Perl-based web shell, was discovered shortly after a vulnerability disclosure and contains stealth mechanisms to avoid detection by Ivanti’s Integrity Checker Tool.
One of the most concerning developments is UNC5325’s experimentation with persistence mechanisms that can allow malware to linger in compromised devices even after mitigation measures have been taken. By attempting to weaponize legitimate components such as SparkGateway in Ivanti’s Connect Secure, the hackers are exploring new ways to maintain access and control over compromised systems. The use of plugins like Pitfuel to deploy backdoors further underscores their commitment to achieving persistence.
Despite encountering encryption key mismatches that have prevented the malware from achieving full persistence, the UNC5325 group’s persistence experiments underscore the gravity of the threat posed to Ivanti customers. Mandiant has issued a warning to customers to remain vigilant and take immediate action to safeguard their systems against these advanced attack techniques. A new version of the Integrity Checker Tool has been released to help detect and mitigate these latest persistence attempts.
In conclusion, the escalating threat posed by Chinese hackers targeting Ivanti edge devices underscores the importance of ongoing vigilance and proactive security measures to defend against sophisticated cyber threats. As attackers continue to evolve their tactics and exploit vulnerabilities in Ivanti products, organizations must remain vigilant and responsive to protect against potential intrusions and data breaches.