Two separate suspected China-linked cyber espionage clusters, known as UNC5325 and UNC3886, have been identified as exploiting security vulnerabilities in Ivanti Connect Secure VPN appliances. According to Mandiant, UNC5325 utilized the CVE-2024-21893 flaw to distribute a variety of new malware, including LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. The group also attempted to maintain persistent access to compromised appliances. Additionally, Mandiant has connected UNC5325 to UNC3886 based on similarities in source code between their respective malware.

UNC3886, on the other hand, has a history of exploiting zero-day vulnerabilities in Fortinet and VMware solutions to deploy implants like VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP. Mandiant researchers noted that UNC3886 has primarily targeted defense industrial base, technology, and telecommunication organizations in the United States and the Asia-Pacific region.

The exploitation of the CVE-2024-21893 vulnerability by UNC5325 dates back to January 19, 2024, targeting a limited number of devices. By combining CVE-2024-21893 with a previously disclosed command injection vulnerability (CVE-2024-21887), UNC5325 gains unauthorized access to vulnerable appliances and deploys a new version of the BUSHWALK malware. Some attacks also involved the misuse of legitimate Ivanti components, such as SparkGateway plugins, to deliver additional payloads.

One such malicious plugin, PITFUEL, loads a shared object called LITTLELAMB.WOOLTEA, which is designed to persist across system upgrades, patches, and factory resets. While attempts to maintain persistence have been unsuccessful so far, Mandiant highlighted the importance of ensuring that network appliances are up to date with the latest updates and patches to prevent further exploitation.

In addition to LITTLELAMB.WOOLTEA, UNC5325 has been observed using another malicious plugin called PITDOG to inject a shared object known as PITHOOK, which then executes an implant called PITSTOP. This implant enables shell command execution, file writing, and file reading on compromised appliances. Mandiant noted that the threat actor behind UNC5325 has demonstrated a sophisticated understanding of the targeted appliances and utilizes living-off-the-land techniques to evade detection.

Furthermore, Mandiant anticipates that UNC5325 and other China-based espionage actors will continue to leverage zero-day vulnerabilities in network edge devices and appliance-specific malware to gain and maintain access to target environments. The cybersecurity firm emphasized the need for organizations to remain vigilant and ensure that their network infrastructure is secure against such threats.

Meanwhile, industrial cybersecurity company Dragos has linked China-sponsored Volt Typhoon to reconnaissance activities targeting various U.S.-based electric companies, emergency services, telecommunication providers, and defense industrial bases. Volt Typhoon’s victimology footprint has expanded to include African electric transmission and distribution providers, with evidence connecting the group to UTA0178, a threat activity group that exploited Ivanti Connect Secure flaws in December 2023.

Dragos described Volt Typhoon as a threat actor that focuses on detection evasion and long-term persistent access with the intention of conducting espionage and data exfiltration. The group’s minimal tooling and emphasis on maintaining a low footprint make it a formidable adversary in the realm of cyber espionage.

Overall, the cybersecurity landscape continues to evolve with the emergence of sophisticated threat actors like UNC5325, UNC3886, and Volt Typhoon. Organizations must remain vigilant and proactive in defending against these advanced cyber threats to safeguard their sensitive data and critical infrastructure.

Source link