Chinese threat actors have developed new techniques to move laterally post-exploitation of Ivanti vulnerabilities, new research from Mandiant has revealed.
Five suspected China-nexus espionage groups’ activity has been detailed by Mandiant in a blog post, dated April 4.
The activity follows the exploitation of the CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893 vulnerabilities, which were previously identified in the Ivanti Connect Secure and Ivanti Policy Secure gateways.
One of these groups, tracked as UNC5291, has been assessed by Mandiant with medium confidence to be Volt Typhoon which is targeting US energy and defense sectors.
Additionally, Mandiant said it has identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining.
In total, the analysis has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs.
The report follows an urgent warning by Five Eyes countries on February 29 that cyber threat actors are exploiting these vulnerabilities, which were made public in early 2024.
As of April 3, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities.
Organizations are also recommended to use Ivanti’s new enhanced external integrity checker tool (ICT), also released on April 3, to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques and procedures (TTPs) observed in the wild.
New TTPs for Lateral Movement Post-Exploitation
Mandiant has observed the Chinese-nexus groups’ leveraging new malware following the exploitation of Ivanti Connect Secure appliances. These tools are designed enable lateral movement while avoiding detection.
SPAWN Malware Family
During a Mandiant analysis of a compromise by threat actor UNC5221, four distinct components of the custom malware toolset SPAWN were employed together create a stealthy and persistent backdoor on an infected appliance.
This malware family is also designed to enable long-term access and avoid detection. It is made up of:
- SPAWNANT. An installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor
- SPAWNMOLE. A tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker
- SPAWNSNAIL. A backdoor that listens on localhost
- SPAWNSLOTH. A log tampering utility injected into the dslogserver process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating
ROOTROT Web Shell
In the same investigation of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant also identified the use of a new web shell tracked as ROOTROT.
This web shell is written in Perl and is embedded into a legitimate Connect Secure .ttc file. It allows the attackers to parse the issued decoded Base64-encoded command and executes it with eval.
ROOTROT was believed to be created on the system prior to the public disclosure of the associated CVEs on January 10, 2024, suggesting a targeted attack.
Deployment of ROOTROT on a Connect Secure appliance led to UNC5221 initiating network reconnaissance and lateral movement to a VMware vCenter server.
BRICKSTORM Backdoor
UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance.
BRICKSTORM is a Go backdoor targeting VMware vCenter servers, which has the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands and perform SOCKS relaying BRICKSTORM communications over WebSockets to a hard-coded C2.
SLIVER C2
In a separate intrusion, the threat actor UNC5266 deployed copies of the SLIVER command-and-control (C2) framework. The copies of SLIVER were placed in three separate locations on the compromised appliance, attempting to masquerade as legitimate system files.
UNC5266 modified a systemd service file to register one of the copies of SLIVER as a persistent daemon.
TERRIBLE TEA
In another exploitation, UNC5266 deployed a Go backdoor named TERRIBLETEA. This Go backdoor communicates over HTTP using XXTEA for encrypted communications, and has multiple capabilities including command execution, keystroke logging and file system interaction.
TERRIBLETEA can also take different execution paths depending on what environment it is configured for.
Active Directory Compromise Following Lateral Movement
Another technique observed by the researchers was by the group UNC5330, which chained together CVE-2024-21893 and CVE-2024-21887 for initial access.
UNC5330 leveraged an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows Certificate Template, created a computer object and requested a certificate for a domain administrator.
The threat actor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credential material to move laterally.
Mandiant said that its findings underscore the ongoing threat faced by edge appliances, with a wide range of TTPs being employed following successful exploitation.
“While the use of open--source tooling is somewhat common, Mandiant continues to observe actors leveraging custom malware that is tailored to the appliance or environment the actor is targeting,” the researchers wrote.