Source: Alexander Tolstykh via Shutterstock
A Chinese espionage group is on the verge of developing malware that can persist in Ivanti edge devices even after patches, upgrades, and factory resets.
When it rains it pours, and for Ivanti customers it's been raining for months now. In the time since the company revealed two high-risk vulnerabilities affecting its Connect Secure, Policy Secure, and Zero Trust Access (ZTA) gateways (at that point, more than five weeks after early recorded exploits in the wild), two more bugs cropped up, and then a fifth. Attackers have taken advantage to such an extent that, within the US government at least, agencies were ordered to cut the cord entirely on Ivanti's products.
Once-delayed patches finally began to roll out in late January, but affected customers are not out of the woods yet. Research published by Mandiant this week indicates that high-level Chinese hackers are continuing to juice Ivanti for all it's worth, developing new and more advanced methods of intrusion, stealth, and persistence.
One group, which Mandiant tracks as UNC5325 — and associates with UNC3886 — has been using living-off-the-land (LotL) techniques to skirt past customers' defenses, and it's only a hair's breadth away from developing malware capable of persisting in compromised devices despite patches, or even full resets.
UNC5325 Ups the Threat to Ivanti
Ivanti's mitigations simply weren't enough to stop its attackers.
UNC5325 was carrying out attacks throughout January and February, bypassing the company's mitigations by taking advantage of a server-side request forgery (SSRF) vulnerability in the Security Assertion Markup Language (SAML) component of its appliances. CVE-2024-21893, as it was later labeled, earned a "high" 8.2 out of 10 score on the CVSS scale, and the group was observed chaining it with Ivanti's prior command injection vulnerability, CVE-2024-21887.
With this continued window into vulnerable appliances, the group performed reconnaissance against its targets, modified appliance settings to conceal its activity, used open source tools like interactsh and Kubo Injector, and deployed a series of custom backdoors: LittleLamb. WoolTea, PitStop, Pitdog, PitJet, and PitHook.
Some of these tools and measures have been particularly clever, like the stealth mechanisms built into Bushwalk, a Perl-based Web shell UNC5325 that embeds in a legitimate component of Ivanti Secure Connect. It was first discovered in the wild just hours after the initial disclosure of CVE-2024-21893.
To conceal Bushwalk, the hackers place it in a folder excluded by the device's Integrity Checker Tool (ICT) and modify a Perl module which enables them to activate or deactivate it depending on the incoming HTTP request's user agent. This latter measure allows them to take advantage of a minor discrepancy in the ICT.
"The internal ICT is configured to run in two-hour intervals by default and is meant to be run in conjunction with continuous monitoring. Any malicious file system modifications made and reverted between the two-hour scan intervals would remain undetected by the ICT. When the activation and deactivation routines are performed tactfully in quick succession, it can minimize the risk of ICT detection by timing the activation routine to coincide precisely with the intended use of the BUSHWALK webshell," the authors explained.
Upcoming Persistence Mechanisms
The greater specter threatening Ivanti customers is UNC5325's latest experiments with persistence.
In rare instances following CVE-2024-21893 exploitation, the group has attempted to weaponize a legitimate component of Connect Secure called "SparkGateway." SparkGateway enables remote access protocols over a browser and, importantly, its functionality can be extended through plugins.
In this case, malicious plugins. Pitfuel, for example, is a SparkGateway plugin that the group uses to load the shared object LittleLamb.WoolTea, whose job is to deploy backdoors. LittleLamb.WoolTea daemonizes itself in order to run consistently in the background of the device, and contains multiple functions and components designed to enable persistence across system upgrades, patches, and factory resets.
As yet, the malware does not achieve this due to a simple error mismatching encryption keys.
Because Chinese threat actors continue to demonstrate interest in Ivanti vulnerabilities, Mandiant is urging customers "to take immediate action to ensure protection if they haven't done so already." A new version of the ICT that can help detect these latest persistence attempts is now available.