Chinese threat actors have developed new techniques to move laterally post-exploitation of Ivanti vulnerabilities, new research from Mandiant has revealed.
Five suspected China-nexus espionage groups’ activity has been detailed by Mandiant in a blog post, dated April 4.
The activity follows the exploitation of the CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893 vulnerabilities, which were previously identified in the Ivanti Connect Secure and Ivanti Policy Secure gateways.
One of these groups, tracked as UNC5291, has been assessed by Mandiant with medium confidence to be Volt Typhoon which is targeting US energy and defense sectors.
Additionally, Mandiant said it has identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining.
In total, the analysis has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs.
The report follows an urgent warning by Five Eyes countries on February 29 that cyber threat actors are exploiting these vulnerabilities, which were made public in early 2024.
As of April 3, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities.
Organizations are also recommended to use Ivanti’s new enhanced external integrity checker tool (ICT), also released on April 3, to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques and procedures (TTPs) observed in the wild.
New TTPs for Lateral Movement Post-Exploitation
Mandiant has observed the Chinese-nexus groups’ leveraging new malware following the exploitation of Ivanti Connect Secure appliances. These tools are designed enable lateral movement while avoiding detection.
SPAWN Malware Family
During a Mandiant analysis of a compromise by threat actor UNC5221, four distinct components of the custom malware toolset SPAWN were employed together create a stealthy and persistent backdoor on an infected appliance.
This malware family is also designed to enable long-term access and avoid detection. It is made up of:
- SPAWNANT. An installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor
- SPAWNMOLE. A tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker
- SPAWNSNAIL. A backdoor that listens on localhost
- SPAWNSLOTH. A log tampering utility injected into the dslogserver process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating
No tags.
