Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
A vulnerability in VPN devices allowed deploying 5 malicious programs at once.
At least 5 different malicious programs were allegedly used by government hackers to gain access to company networks through Zero-Day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices. The attacks took place from the beginning of December 2023.
According to Mandiant, the UNC5221 group used malware to bypass authentication systems and gain hidden access to devices. To break into vulnerable devices, hackers used a chain of exploits that included an authentication bypass vulnerability (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) found in Ivanti Connect Secure and Policy Secure products.
The company Volexity, which attributed this activity to the Chinese spy group UTA0178, previously explained that the vulnerabilities allow you to gain initial access, install web shells, insert backdoors into legitimate files, collect credentials and configuration files, and penetrate deeper into the internal networks of victims.
According to Ivanti, less than 10 customers were attacked, which indicates the targeted nature of the campaign. Fixes for the two vulnerabilities (unofficially named ConnectAround by security researcher Kevin Beaumont) are expected to be released next week.
Mandiant's analysis revealed that the attackers used 5 different malicious programs. They also injected malicious code into legitimate files on ICS systems and used tools such as BusyBox (a set of UNIX command-line utilities) and PySoxy (a SOCKS5 proxy server).
Experts note that due to the peculiarities of the file system of some devices, hackers used a Perl script to change access rights and deploy malware. The main tools for preserving access to hacked systems are the LIGHTWIRE and WIREFIRE web shells. The JavaScript-based WARPWIRE malware was also used to collect credentials and the ZIPLINE backdoor, which is able to upload / download files, install Reverse Shell, create a proxy server, and configure network tunneling to distribute traffic between multiple endpoints.
Although UNC5221 is not yet associated with any known group, the group's methods indicate an advanced persistent threat. Exploiting zero-day vulnerabilities and hidden infrastructure is common for government hackers. UNC5221's activities demonstrate that network perimeter attacks remain an attractive target for espionage groups.
At least 5 different malicious programs were allegedly used by government hackers to gain access to company networks through Zero-Day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices. The attacks took place from the beginning of December 2023.
According to Mandiant, the UNC5221 group used malware to bypass authentication systems and gain hidden access to devices. To break into vulnerable devices, hackers used a chain of exploits that included an authentication bypass vulnerability (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) found in Ivanti Connect Secure and Policy Secure products.
The company Volexity, which attributed this activity to the Chinese spy group UTA0178, previously explained that the vulnerabilities allow you to gain initial access, install web shells, insert backdoors into legitimate files, collect credentials and configuration files, and penetrate deeper into the internal networks of victims.
According to Ivanti, less than 10 customers were attacked, which indicates the targeted nature of the campaign. Fixes for the two vulnerabilities (unofficially named ConnectAround by security researcher Kevin Beaumont) are expected to be released next week.
Mandiant's analysis revealed that the attackers used 5 different malicious programs. They also injected malicious code into legitimate files on ICS systems and used tools such as BusyBox (a set of UNIX command-line utilities) and PySoxy (a SOCKS5 proxy server).
Experts note that due to the peculiarities of the file system of some devices, hackers used a Perl script to change access rights and deploy malware. The main tools for preserving access to hacked systems are the LIGHTWIRE and WIREFIRE web shells. The JavaScript-based WARPWIRE malware was also used to collect credentials and the ZIPLINE backdoor, which is able to upload / download files, install Reverse Shell, create a proxy server, and configure network tunneling to distribute traffic between multiple endpoints.
Although UNC5221 is not yet associated with any known group, the group's methods indicate an advanced persistent threat. Exploiting zero-day vulnerabilities and hidden infrastructure is common for government hackers. UNC5221's activities demonstrate that network perimeter attacks remain an attractive target for espionage groups.
