SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Mandiant reveals threats to Ivanti Connect Secure appliances

Mon, 8th Apr 2024

Mandiant, the cybersecurity firm, today disclosed new findings on threat actors exploiting vulnerabilities in Ivanti Connect Secure appliances. The exploited appliances were either unpatched or did not have the necessary mitigation methods in place. Mandiant's research is a comprehensive analysis of post-exploitation actions on such appliances.

Through numerous response investigations to these cybersecurity incidents, Mandiant's study highlighted five unique threat clusters (known as UNCs) that have been implicated in the exploitation of one or more Ivanti CVEs since 10 January 2024. Alongside the China-nexus espionage groups already suspected, Mandiant stated that profit-motivated actors were also found to be exploiting CVE-2023-46805 and CVE-2024-21887. It's suspected that these exploitations are primarily facilitating operations like cryptocurrency mining.

The research also led to other significant discoveries. It was observed that threat actors have been using Windows Management Instrumentation (WMI) for various nefarious purposes, including reconnaissance, lateral movement, manipulation of registry entries, and establishing a persistent presence on the victim's network. Mandiant also pointed out the increased use of open-source tools such as SLIVER and CrackMapExec by certain threat actors to maintain their foothold upon successfully compromising a vulnerable Ivanti Connect Secure appliance.

Focusing on individual clusters, UNC5291 (assessed with 'medium confidence' by Mandiant to be Volt Typhoon) drew attention. After initially targeting Citrix Netscaler ADC in December 2023, it began probing Ivanti Connect Secure appliances in mid-January 2024. Mandiant, however, noted they have yet to observe Volt Typhoon, or any UNCs suspected of being linked with Volt Typhoon, as having successfully compromised Ivanti Connect Secure systems.

The researchers have identified four distinct families of malware that collaborate to develop a stealthy and persistent backdoor within infected appliances. These families are 'SPAWNANT', an installer that sets up and sustains the backdoor and 'SPAWNMOLE', a tunneler that helps to filter out malicious traffic originating from the attacker. The other two are 'SPAWNSNAIL', an SSH backdoor bound to localhost and injects 'SPAWNSLOTH', the final addition, which disables event log generation and forwarding.

This recent research report calls attention to the renewed necessity of ensuring all digital appliances are appropriately patched and have the right mitigation processes in place. As demonstrated, these cybersecurity vulnerabilities can lead to a range of exploitations, both from state-level threat actors and financially driven cybercriminals. Companies and organisations must, therefore, recognise the integral role proactive cybersecurity hygiene plays in protecting sensitive information and systems.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X