web analytics

Ivanti zero-day exploited by APT group that previously targeted Connect Secure appliances – Source: www.csoonline.com

ivanti-zero-day-exploited-by-apt-group-that-previously-targeted-connect-secure-appliances-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Vulnerability revealed by Ivanti has been exploited by the same group that targeted Connect Secure from January 2024.

Researchers from Google’s Mandiant division believe the critical remote code execution vulnerability patched on Wednesday by software vendor Ivanti has been exploited since mid-December by a Chinese cyberespionage group. This is the same group that has exploited zero-day vulnerabilities in Ivanti Connect Secure appliances back in January 2024 and throughout the year.

The latest attacks, exploiting the new CVE-2025-0282 flaw, involved the deployment of multiple malware components from a toolkit dubbed SPAWN that Mandiant attributes to a cluster of activity tracked as UNC5337, which the company suspects is related to another group tracked as UNC5221.

“​​UNC5221 is a suspected China-nexus espionage actor that exploited vulnerabilities CVE-2023-46805 and CVE-2024-21887, which impacted Ivanti Connect Secure VPN and Ivanti Policy Security appliances as early as December 2023,” the Mandiant researchers said in a report. “Additionally, Mandiant previously observed UNC5221 leveraging a likely ORB network of compromised Cyberoam appliances to enable intrusion operations.”

The SPAWN family of custom malware tools, some of which are specifically designed to interact with Connect Secure features and code, include the SPAWNANT installer, SPAWNMOLE tunneler, the SPAWNSNAIL SSH backdoor and the SPAWNSLOTH log tampering utility. In addition to these known tools that have been used in past Ivanti compromises, the latest attacks also involved never before seen components such as a credential harvester dubbed DRYHOOK and a malware dropper called PHASEJAM.

Malware prevents legitimate upgrades

In its security advisory, Ivanti directed customers to perform a factory reset on appliances before deploying the patched 22.7R2.5 version. The company did not go into details as to why but based on Mandiant’s analysis it’s because of the PHASEJAM dropper which modifies multiple legitimate Connect Secure components, including the one responsible for system upgrades. It does this in order to block and then simulate upgrades in a visually convincing way, even displaying the new version number at the end of the process.

“The first technique, utilized by PHASEJAM, prevents legitimate ICS [Ivanti Connect Secure] system upgrade attempts by administrators via rendering a fake HTML upgrade progress bar while silently blocking the legitimate upgrade process,” the Mandiant researchers explain. “Due to the blocked upgrade attempt, the technique would allow any installed backdoors or tools left by the threat actor to persist on the current running version of the VPN while giving the appearance of a successful upgrade.”

PHASEJAM also modifies legitimate files from the ICS web interface in order to inject a web shell that gives attackers remote access to the device, the ability to execute additional malicious code and to exfiltrate data from the device.

PHASEJAM comes in the form of a bash script and is deployed as a payload following the initial exploit for CVE-2025-0282 after some preparation steps that involve disabling the SELinux protections of the OS, blocking system log collection and remounting the root partition as writable so its files can be modified.

Following the exploitation, the attackers perform several steps to remove evidence of the attack including clearing kernel messages and removing entries from debug logs, deleting troubleshoot information packages and any memory core dumps generated by crashes that could be used in forensics analysis, removing application event log entries related to various failures, crashes and certificate handling errors, and clearing the SELinux audit log of executed commands.

Persistence across upgrades

In addition to blocking and simulating upgrades, the attackers deploy a mechanism to survive legitimate upgrades if they do happen. Normally the root partition is wiped during an upgrade as it’s supposed to be read-only, so the attackers hijack the execution flow of dspkginstall, a legitimate utility used during the upgrade process, in order to copy several malicious components to the temporary upgrade partition that’s mounted on /tmp/data/.

“SPAWNANT establishes an additional method of backdoor access by writing a web shell into compcheckresult.cgi on the upgrade partition,” the researchers explained. “The web shell uses system() to execute the value passed to a hard-coded query parameter.”

SPAWNANT has three components: the SPAWNMOLE tunneler (libsocks5.so), the SPAWNSNAIL SSH backdoor (libsshd.so) and the SPAWNSLOTH log tampering utility (.liblogblock.so). It also tricks the Ivanti Integrity Checker Tool (ICT) by recalculating the SHA256 hash for any files it has modified and generates a new RSA key pair to sign the modified manifest that the ICT uses for integrity checking.

Mandiant notes that there is still a way to tell successful and correct ICT reports from tampered ones due to the number of steps listed. Screenshots with the differences are provided in their analysis.

Lateral movement and credential theft

The APT group uses built-in command line tools such as nmap and dig to perform network reconnaissance and tries to perform LDAP queries using the LDAP service account or to access Active Directory servers, through SMB and RDP.

A Python script dubbed DRYHOOK modifies a system component called DSAuth.pm to intercept legitimate authentications on the appliance and log credentials. Separately, the attackers attempt to exfiltrate the appliance database which contains VPN session cookies, API keys, certificates and credential material.

“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,” the researchers said. “Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.”

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3732107/ivanti-zero-day-exploited-by-apt-group-that-previously-targeted-connect-secure-appliances.html

Category & Tags: Malware, Vulnerabilities, Zero-day vulnerability – Malware, Vulnerabilities, Zero-day vulnerability

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Ciso Council
CISO Security Officer Handbook
CISO Security Officer Handbook
Splunk
81 Siem Very important Use Cases for your SOC by SPLUNK
81 Siem Very important Use...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos