February 1, 2024 at 03:33AM
Mandiant, owned by Google, reported identifying new malware used by espionage threat actor UNC5221 targeting Ivanti Connect Secure VPN and Policy Secure devices. The malware includes web shells like BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE, enabling arbitrary command execution and data exfiltration. Ivanti has disclosed and fixed security flaws targeted by the attacks.
Based on the meeting notes, the key takeaways are:
– Mandiant identified new malware being used by the China-nexus espionage threat actor UNC5221 and other threat groups to target Ivanti Connect Secure VPN and Policy Secure devices.
– The malware includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE.
– UNC5221 has been leveraging zero-day exploits to execute arbitrary commands on Ivanti appliances with elevated privileges.
– The attacks involve the use of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux for post-exploitation activities on Ivanti CS appliances.
– Ivanti has disclosed two more security flaws, CVE-2024-21888 and CVE-2024-21893, and has released fixes to address the vulnerabilities.
– UNC5221 is targeting a wide range of industries, and its infrastructure and tooling overlap with past intrusions linked to China-based espionage actors.
– The attacks are associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors.
Let me know if you need any further information or assistance!