February 28, 2024 at 07:45AM
Mandiant reports that Chinese threat actors have exploited recent Ivanti Connect Secure VPN vulnerabilities, deploying new malware for persistence. Despite patches, attackers continued exploiting a vulnerability, deploying new malware families and demonstrating a nuanced understanding of the appliance to persistently execute backdoors. The threat actor, UNC5325, has been observed exploiting CVE-2024-21893 and CVE-2024-21887.
From the meeting notes, it is clear that Chinese threat actors have been actively exploiting vulnerabilities in Ivanti Connect Secure VPN. They have used new malware to achieve persistence, even after the flaws were addressed by Ivanti. The threat actors have been observed exploiting multiple vulnerabilities, including CVE-2024-21893 and CVE-2024-21887, and have deployed new malware families such as LittleLamb.WoolTea, PitStop, Pitdog, PitJet, and PitHook.
Mandiant has identified the threat actor as UNC5325, which has been linked to UNC3886, a Chinese cyberespionage group previously observed exploiting vulnerable VMware products. UNC5325 has demonstrated advanced knowledge of the Ivanti Connect Secure appliance, using various malicious techniques such as deploying backdoors, persisting across system updates and factory resets, and evading detection using a nuanced understanding of the appliance.
CISA has set a 48-hour deadline for the removal of insecure Ivanti products, and it is evident that the threat actors have been preparing for patch rollouts and leveraging zero-day exploits. It is crucial for organizations using Ivanti products to take immediate action to secure their networks and remove any insecure Ivanti products.
These insights provide a clear understanding of the ongoing threat posed by Chinese threat actors exploiting Ivanti vulnerabilities and the corresponding actions that organizations and cybersecurity teams need to take to mitigate these risks.