February 29, 2024 at 01:27AM
China-linked cyber espionage clusters UNC5325 and UNC3886 have exploited security flaws in Ivanti Connect Secure VPN appliances. They delivered new malware, maintained persistent access, and leveraged zero-day flaws to deploy implants targeting defense, technology, and telecommunication organizations in the U.S. and Asia-Pacific. Volt Typhoon and UTA0178 were also attributed to reconnaissance activities.
Based on the meeting notes provided, the key takeaways are:
– Two different suspected China-linked cyber espionage clusters, UNC5325 and UNC3886, have been attributed to exploiting security flaws in Ivanti Connect Secure VPN appliances.
– UNC5325 leveraged CVE-2024-21893 to deliver various new malware and maintain persistent access to compromised appliances.
– UNC3886 has a track record of leveraging zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants targeting defense industrial base, technology, and telecommunication organizations.
– It is assessed with moderate confidence that UNC5325 is associated with UNC3886 based on source code overlaps in their malware.
– UNC5325 actively exploited CVE-2024-21893 as early as January 19, 2024, targeting a limited number of devices, using it to gain unauthorized access to susceptible appliances and deploying a new version of BUSHWALK.
– Mandiant expects UNC5325 and other China-nexus espionage actors to continue leveraging zero-day vulnerabilities on network edge devices and appliance-specific malware to gain and maintain access to target environments.
– Volt Typhoon (aka Voltzite) has been attributed to reconnaissance and enumeration activities aimed at U.S.-based electric companies, emergency services, telecommunication providers, defense industrial bases, and satellite services.
– Volt Typhoon’s actions signify clear objectives to identify vulnerabilities within critical infrastructure for future destructive or disruptive cyber attacks.
– Evidence connects Volt Typhoon to UTA0178, a threat activity group linked to the zero-day exploitation of Ivanti Connect Secure flaws in early December 2023.
– The cyber espionage actor relies heavily on Living-off-the-Land (LotL) methods to evade detection, and joins two other new groups, Gananite and Laurionite, conducting long-term reconnaissance and intellectual property theft operations targeting critical infrastructure and government entities.
These takeaways summarize the main points from the meeting notes, providing a clear understanding of the discussed cybersecurity threats and their implications.