Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan
Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325.
This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied.
Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we've seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives.
As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti's latest patching guidance and instructions to prevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening guide, which includes recommendations.
Mandiant recommends customers run both the internal and the latest external ICT released alongside a new patch on April 3, 2024, as part of a comprehensive defense-in-depth strategy. Mandiant would like to acknowledge Ivanti for their collaboration, transparency, and ongoing support throughout this process.
Clustering and Attribution
Mandiant is tracking multiple clusters of activity exploiting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 across our incident response investigations. In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining. Since the public disclosure on Jan. 10, 2024, Mandiant has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs. Of these, we are highlighting five China-nexus clusters that have conducted intrusions.
In February 2024, Mandiant identified a cluster of activity tracked as UNC5291, which we assess with medium confidence to be Volt Typhoon, targeting U.S. energy and defense sectors. The UNC5291 campaign targeted Citrix Netscaler ADC in December 2023 and probed Ivanti Connect Secure appliances in mid-January 2024, however Mandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure.
UNC5221
UNC5221 is a suspected China-nexus actor that Mandiant is tracking as the only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame since early Dec. 2023. As stated in our previous blog post, UNC5221 also conducted widespread exploitation of CVE-2023-46805 and CVE-2024-21887 following the public disclosure on Jan. 10, 2024.
UNC5266
Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.
UNC5330
UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence.
Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021.
UNC5337
UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221.
UNC5291
UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that Volt Typhoon was targeting critical infrastructure and was potentially interested in Ivanti Connect Secure devices for initial access.
New TTPs and Malware
Since our last blog on Ivanti exploitation, Mandiant has identified additional TTPs used by threat actors to gain access to target environments and move laterally within them. Additionally, Mandiant has identified several new code families leveraged by threat actors following the exploitation of Ivanti Connect Secure appliances. Of these code families, several are assessed to be custom malware families; however, Mandiant has also identified the use of open-source tooling, such as SLIVER and CrackMapExec.
SPAWN Malware Family
During analysis of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant discovered four distinct malware families that work closely together to create a stealthy and persistent backdoor on an infected appliance. Mandiant assesses that these malware families are designed to enable long-term access and avoid detection.
Figure 1 illustrates how the SPAWN malware family operates.
SPAWNANT
SPAWNANT is an installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor. It hijacks a legitimate dspkginstall installer process and exports an sprintf function adding a malicious code to it before redirecting a flow back to vsnprintf.
SPAWNMOLE
SPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.
-
The malware attempts to inject itself into a process named web.
-
The malware attempts to hijack the accept API from the libc binary within web process.
-
The malware is specifically compiled as a PIE (Position Independent Executable) in order to use a third-party library for injection.
-
The malware traffic must start with a header that contains 0xfb49e3e2 at offset 0x13 and 0x1bc38361 at offset 0x1b of the received buffer.
SPAWNSNAIL
SPAWNSNAIL (libdsmeeting.so) is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.
SPAWNSNAIL's second purpose is to inject SPAWNSLOTH (.liblogblock.so) into dslogserver, a process supporting event logging on Connect Secure.
SPAWNSNAIL checks if its binary name is dsmdm; if it is running under that name, it creates two threads:
-
First thread drops a hard-coded SSH host private key to /tmp/.dskey, configures libssh to use the key, and then deletes /tmp/.dskey. The malware binds to localhost on port 8300.
-
The SSH server requires public key authentication.
-
When starting an interactive shell session, the malware prints a banner with statistics about the system. It will print the information about the release, uptime, current time, and whether SELinux is enabled. SPAWNSNAIL then executes an interactive bash shell.
-
The second thread injects a log tampering utility, SPAWNSLOTH (/tmp/.liblogblock.so), into the dslogserver process up to three times.
SPAWNSLOTH
SPAWNSLOTH is a log tampering utility injected into the dslogserver process. It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating.
SPAWNSLOTH uses funchook to hook the _ZN5DSLog4File3addEPKci function (it is assumed to be a logging function of dslogserver). It also modifies the g_do_syslog_servers_exist_p symbol. This is a pointer to a global variable controlling if event logs should be forwarded to an external syslog server.
Finally, it uses interprocess communication via shared memory to communicate with the SPAWNSNAIL backdoor. SPAWNSLOTH only blocks logging when SPAWNSNAIL is running.
Getting to the Root of It
During the investigation of an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant identified a new web shell we are tracking as ROOTROT. ROOTROT is a web shell written in Perl embedded into a legitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting CVE-2023-46805 and CVE-2024-21887. setcookie.thtml.ttc is located on a writable partition on the appliance, and the same file was abused in previous Pulse Connect Secure exploitation events involving CVE-2019-11539 and CVE-2020-8218.
Figure 2 shows the code inserted into the setcookie.thmtl.ttc file that contains ROOTROT. The web shell can be accessed at /dana-na/auth/setcookie.cgi. It parses the issued decoded Base64-encoded command and executes it with eval.
Figure 2: Code block inserted into the setcookie.thtml.ttc file
During the investigation, Mandiant identified that the web shell was created on the system prior to the public disclosure of the associated CVEs on Jan. 10, 2024, indicating a more targeted attack. Defenders can detect the presence of ROOTROT by the existence of <!--\n and -->\n at the end of the response from /dana-na/auth/setcookie.cgi.
As of April 3, 2024, the latest external ICT will detect modifications to setcookie.thtml.ttc.
Lateral Movement Leading to vCenter Compromise
Once UNC5221 deployed ROOTROT on a Connect Secure appliance and established a foothold, they initiated network reconnaissance against the victim's network and moved laterally to a VMware vCenter server. Mandiant identified that UNC5221 first moved laterally using the vCenter web console, then later using SSH.
After moving laterally to the vCenter server, UNC5221 created a new virtual machine three times in vCenter, utilizing a naming convention consistent with other servers in the environment. Though the virtual machine creation was successful, Mandiant did not identify evidence of UNC5221 successfully running or using the virtual machine.
Following this, UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance (/home/vsphere-ui/vcli). Notably, BRICKSTORM appears to masquerade as a legitimate vCenter process, vami-http.
BRICKSTORM
BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.
Upon execution, BRICKSTORM checks for an environment variable, WRITE_LOG, to determine if the file needs to be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample from /home/vsphere-ui/vcli to /opt/vmware/sbin as vami-httpd. It will then execute the copied BRICKSTORM sample and terminate execution.
If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes /opt/vmware/sbin/vami-httpd, and continues execution.
BRICKSTORM contains a separate function called Watcher, which contains self-monitoring functionality. If the environment variable WORKER returns false or is unset, it will continue the monitoring, checking for the file /home/vsphere-ui/vcli and copying the contents over to /opt/vmware/sbin/vami-httpd. Then, it sets the appropriate environment variables and spawns the process. The watcher process then begins monitoring the exit status of the child process.
If it finds the environment variable WORKER is set to true, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the Watcher function.
BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of wss://opra1.oprawh.workers[.]dev. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses.
Figure 3: DNS over HTTPS addresses
BRICKSTORM appears to leverage a custom Go package called wssoft. There is no known, publicly available Go package with this name. It appears this may be the main package developed by the malware authors to perform task processing and connection handling for the malware.
Table 1 provides the four core functions provided by wssoft.
Function |
Comments |
Spawning a web server |
See below for accepted routes/endpoints |
Command execution |
Executes shell commands using /bin/sh |
Command execution (“NoContext”) |
Executes shell commands using calls to os. Exec likely accepts commands run_shell and exit |
SOCKS relaying |
Connection proxying |
Table 1: wssoft capabilities
When the backdoor functionality is activated, it spawns a web server to handle incoming commands. It uses Gorilla/mux to handle the endpoint routing and lonnng/nex to marshal the data into JSON.
Table 2 provides the endpoints used for communications to the BRICKSTORM backdoor via POST requests.
Endpoint |
Function |
/api/file/change-dir |
Change directory |
/api/file/delete-dir |
Deletes a directory |
/api/file/delete-file |
Deletes a file |
/api/file/mkdir |
Makes a directory (create subdirectories as necessary) |
/api/file/list-dir |
Lists directory contents |
/api/file/rename |
Renames a file |
/api/file/put-file |
File upload given a destination path, can optionally append to file |
/api/file/get-file |
File download |
/api/file/slice-up |
May upload large files in separate chunks |
/api/file/file-md5 |
Calculates file MD5 |
/api/file/up |
Uploads a file using a web form (includes SHA256 hashing) |
/api/file/stat |
Gets file information |
Table 2: BRICKSTORM endpoints
Lateral Movement Leading to Active Directory Compromise
UNC5330 gained initial access to the victim environment by chaining together CVE-2024-21893 and CVE-2024-21887, a tactic outlined in Cutting Edge Part 3. Shortly after gaining access, UNC5330 leveraged an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows Certificate Template, created a computer object, and requested a certificate for a domain administrator. The threat actor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credential material to move laterally.
Attack Path Diagram
Windows Certificate Template Abuse
UNC5330 used the ldap-ivanti account, configured on the Ivanti appliance for LDAP bind operations, to create a domain computer object, testComputer$. UNC5330 used the newly created testComputer$ computer object to request a certificate from a vulnerable certificate template that provided enrollment rights to Domain Computers. UNC5330 requested a certificate for a domain administrator account, obtained a Kerberos TGT using the certificate, and performed DCSync attacks to obtain additional domain credentials for enabling lateral movement.
Once domain admin access was achieved, UNC5330 leveraged WMI to deploy the TONERJAM launcher and the PHANTOMNET backdoor.
WMI Event Consumers
WMI was used to perform lateral movement and establish persistence within the victim environment, primarily by creating and executing scheduled tasks that were subsequently removed. The ActiveScript event consumers performed the following:
-
Created and registered a scheduled task with trigger type 7 (started the task upon registration) to execute command with cmd.exe.
-
Wrote command output to a .log file in C:\Windows\Temp.
-
Deleted the scheduled task.
The behavior, as well as the naming convention used for both the WMI artifacts and output files, is consistent with a recent version of CrackMapExec that implements DCE/RPC for WMI execution that does not rely on SMB. Mandiant observed this technique being used to deploy TONERJAM and PHANTOMNET.
TONERJAM
TONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution.
PHANTOMNET
PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET's core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.
SLIVER C2
During a separate intrusion, UNC5266 retrieved copies of SLIVER from a Python SimpleHTTP server hosted on the same IP address as the configured command-and-control server. The copies of SLIVER were placed in three separate locations on the compromised appliance, attempting to masquerade as legitimate system files. UNC5266 modified a systemd service file to register one of the copies of SLIVER as a persistent daemon.
Path |
Description |
/home/bin/netmon |
SLIVER |
/home/bin/logd |
SLIVER |
/home/runtime/logd |
SLIVER |
/home/config/logd.spec.cfg |
systemd service unit configuration file |
Table 3: SLIVER components
Additionally, UNC5266 leveraged a WARPWIRE variant previously reported in Cutting Edge, Part 2. This variant was downloaded by UNC5266 from what Mandiant believes to be a compromised web server located in Rwanda. See Figure 18 in the Cutting Edge Part 2 blog for details on the WARPWIRE variant.
TERRIBLETEA
At a separate intrusion, UNC5266 used the same WARPWIRE sample as used in their SLIVER operation. However, instead of SLIVER, UNC5266 deployed a Go backdoor that Mandiant has named TERRIBLETEA. During this intrusion, the actor attempted to use curl to download the backdoor; however, logs suggest these attempts failed. Seven minutes after their last failed curl attempt, UNC5266 ran a wget request to an anonymous file sharing site: pan.xj.hk. UNC5266 likely uploaded TERRIBLETEA to the file-sharing site in the intervening seven minutes.
TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including:
-
Command execution
-
Keystroke logging
-
SOCKS5 proxy
-
Port scanning
-
File system interaction
-
SQL query execution
-
Screen captures
-
Ability to open a new SSH session, execute commands, and upload files to a remote server. The following commands may be executed:
-
chmod +x /tmp/.udevd
-
/tmp/.udevd <args>
-
ls -lahrt /home/
TERRIBLETEA can take different execution paths depending on what environment it is configured for, either linux_amd64 or darwin_amd64. In this instance, TERRIBLETEA is configured for the linux_amd64 environment. The sample persists with a Bash profile script located at /etc/profile.d/cron.sh for persistence.
Figure 5: TERRIBLETEA Bash profile script
Outlook and Implications
The activity detailed in this blog, as well as the recently published Cutting Edge, Part 3 highlighting UNC5325 targeting of Ivanti Connect Secure appliances, underscore the threat faced by edge appliances. Mandiant continues to observe China-nexus threat actors aggressively utilizing zero-day and N-day vulnerabilities to enable their operations and target organizations across the globe.
Mandiant continues to observe a wide range of TTPs following the successful exploitation of vulnerabilities against edge appliances. As previously reported by Mandiant, China-nexus actors continue to evolve their stealth to avoid detection by defenders. While the use of open--source tooling is somewhat common, Mandiant continues to observe actors leveraging custom malware that is tailored to the appliance or environment the actor is targeting.
Indicators of Compromise (IOCs)
Host-Based Indicators (HBIs)
data.dat |
9d684815bc96508b99e6302e253bc292 |
PHANTOMNET |
epdevmgr.dll |
b210a9a9f3587894e5a0f225b3a6519f |
TONERJAM |
libdsproxy.so |
4f79c70cce4207d0ad57a339a9c7f43c |
SPAWNMOLE |
libdsmeeting.so |
e7d24813535f74187db31d4114f607a1 |
SPAWNSNAIL |
.liblogblock.so |
4acfc5df7f24c2354384f7449280d9e0 |
SPAWNSLOTH |
.dskey |
3ef30bc3a7e4f5251d8c6e1d3825612d |
SPAWNSNAIL private key |
N/A |
bb3b286f88728060c80ea65993576ef8 |
TERRIBLETEA |
N/A |
cfca610934b271c26437c4ce891bad00 |
TERRIBLETEA |
N/A |
08a817e0ae51a7b4a44bc6717143f9c2 |
TERRIBLETEA |
linb64.png |
e7fdbed34f99c05bb5861910ca4cc994 |
SLIVER |
lint64.png |
c251afe252744116219f885980f2caea |
SLIVER |
linb64.png |
4f68862d3170abd510acd5c500e43548 |
SLIVER |
lint64.png |
9d0b6276cbc4c8b63c269e1ddc145008 |
SLIVER |
logd |
71b4368ef2d91d49820c5b91f33179cb |
SLIVER |
winb64.png |
d88bbed726d79124535e8f4d7de5592e |
SLIVER |
logd.spec.cfg |
846369b3a3d4536008a6e1b92ed09549 |
SLIVER persistence |
N/A |
8e429d919e7585de33ea9d7bb29bc86b |
SLIVER downloader |
N/A |
fc1a8f73010f401d6e95a42889f99028 |
PHANTOMNET |
N/A |
e72efc0753e6386fbca0a500836a566e |
PHANTOMNET |
N/A |
4645f2f6800bc654d5fa812237896b00 |
BRICKSTORM |
Table 4: Host-based indicators
Network-Based Indicators (NBIs)
8.218.240[.]85 |
IPv4 |
Post-exploitation activity |
98.142.138[.]21 |
IPv4 |
Post-exploitation activity |
103.13.28[.]40 |
IPv4 |
Post-exploitation activity |
103.27.110[.]83 |
IPv4 |
Post-exploitation activity |
103.73.66[.]37 |
IPv4 |
Post-exploitation activity |
193.149.129[.]191 |
IPv4 |
Post-exploitation activity |
206.188.196[.]199 |
IPv4 |
Post-exploitation activity |
oast[.]fun |
Domain |
Pre-exploitation validation |
cpanel.netbar[.]org |
Domain |
WARPWIRE Variant C2 server |
pan.xj[.]hk |
Domain |
Post-exploitation activity |
akapush.us[.]to |
Domain |
SLIVER C2 server |
opra1.oprawh.workers.dev |
Domain |
BRICKSTORM C2 server |
Table 5: Network-based indicators