China-nexus actors are reportedly exploiting two separate vulnerabilities affecting all versions of Ivanti Connect Secure and Policy Secure gateways:
CVE-2023-46805 (CVSS 8.2) exists in web component of the gateways that are vulnerable to authentication bypass, enabling potential attackers to access restricted resources.
CVE-2024-21887 (CVSS 9.1) is a command injection flaw which allows a potential authenticated attacker to craft requests and execute arbitrary commands on vulnerable appliances with administrative privileges.
The two vulnerabilities may be chained in order to obtain authentication bypass and ability to run arbitrary commands with elevated privileges.
Patches will be released the week of 22 January; however, there is a workaround. Ivanti recommends importing mitigation.release.20240107.1.xml which the vendor made available via the download portal.
Mandiant released an extensive report where the events are described in great detail. The attacks have been attributed to an unknown group tracked as UNC5221.
As per the Mandiant report the actor targets edge infrastructure exploiting zero-day vulnerabilities with a particular focus on legacy Cyberoam VPN appliances that are used as C2. According to various reports, such technique is consistent with the trends historically attributed to China-nexus actors.
Customized malware which Mandiant observed in the attacks includes:
ZIPLINE - Backdoor with capability to spawn a reverse shell and serve, perform arbitrary actions on files including upload and download, as well as implement communication to C2 or tunnel traffic among endpoints.
THINSPOOL - Dropper whose primary function in the attacks is to write the LIGHTWIRE web shell to the Connect Secure file.
Web shells LIGHTWIRE and WIREFIRE are injected within the CS appliance and enable the actor to interact with the compromised instance.
WARPWIRE serves as a credential harvester. The malware encodes the credentials and exfiltrates them to the C2 which Mandiant identified as symantke[.]com.