State-sponsored hackers know enterprise VPN appliances inside out

Suspected Chinese state-sponsored hackers leveraging Ivanti Connect Secure VPN flaws to breach a variety of organizations have demonstrated “a nuanced understanding of the appliance”, according to Mandiant incident responders and threat hunters.

They were able to perform a number of modifications on the device and deploy specialized malware and plugins aimed at achieving persistence across system upgrades, patches, and factory resets.

“While the limited attempts observed to maintain persistence have not been successful to date due to a lack of logic in the malware’s code to account for an encryption key mismatch, it further demonstrates the lengths UNC5325 [one of the threat groups] will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches,” Mandiant’s specialists noted.

Specially crafted malware and plugins

Mandiant’s security pros have said that they believed two separate (but likely connected) threat groups – UNC5325 and UNC3886 – are behind some of the recent attacks that started with the exploitation of several Ivanti Connect Secure flaws. They believe the two groups are Chinese cyber espionage operators.

The most interesting thing about the attacks is not the exploitation of previously unknown (i.e., zero-day) vulnerabilities and the bypassing of mitigations employed to fix them, but the specialized knowledge leveraged by the attackers to achieve persistence on targeted devices despite enterprise defenders’ efforts.

According to the researchers, UNC5325 has been usin living-off-the-land techniques (LotLs) to evade detection and has attempted to use novel malware (LITTLELAMB.WOOLTEA) and backdoors to make their foothold on the device permanent.

The attackers used publicly available services (e.g., Interactsh) to detect vulnerable devices and eployed reverse shells and web shells on them.

“We identified a technique allowing BUSHWALK [a web shell] to remain in an undetected dormant state by creatively modifying a Perl module and LotL technique by using built-in system utilities unique to Ivanti products,” they shared.

An encrypted versions of BUSHWALK “remains dormant in a dynamic directory and therefore is not scanned by the integrity checker tool,” they found. (On Tuesday, Ivanti also released an enhanced external integrity checker tool that provides customers a decrypted snapshot of their appliance.)

In some cases, after exploiting CVE-2024-21893, the attackers used plugins for SparkGateway – a legitimate component of the Ivanti Connect Secure appliance – to modify its configuration file and inject shared objects into appliance processes. In addition, it attempts to persist and re-deploy backdoors after system upgrade events, patches, and factory resets.

“The exploitation of the Ivanti zero-days has likely impacted numerous appliances,” the researchers said.

“While much of the activity has been automated, there has been a smaller subset of follow-on activity providing further insights on attacker tactics, techniques, and procedures (TTPs). Mandiant assesses additional actors will likely begin to leverage these vulnerabilities to enable their operations.”

Hackers hitting other enterprise VPN appliances

State-sponsored hacking groups compromising edge devices to achieve a foothold into organizations is not news, but it’s becoming increasingly obvious that they know the target devices inside out.

Dutch intelligence services reported earlier this month that Chinese state-sponsored hackers had breached the Dutch Ministry of Defense in 2023 and deployed a new remote access trojan specifically built for Fortinet’s FortiGate (firewall with built-in VPN) appliances.

The RAT in question – dubbed Coathanger – is also able to survive reboots and firmware upgrades.

UPDATE (February 29, 2024, 04:10 a.m. ET):

“Attackers have realized that the majority of perimeter-exposed products aren’t ‘secure by design’, and so vulnerabilities can be found far more easily than in popular client software. Furthermore, these products typically don’t have decent logging (or can be easily forensically investigated), making perfect footholds in a network where every client device is likely to be running high-end detective capabilities,” says David C (surname witheld), Technical Director for Platforms Research at the UK National Cyber Security Centre.

The NCSC advises organizations to demand “secure by design” products from vendors and consider migrating away from a self-hosted service to a cloud-hosted (SaaS) versions of products so they don’t have to worry about maintaining underlying infrastructure.

“An attack will still place the data at risk, but shouldn’t give the attacker a foothold on your network,” he said. “The vendor’s security team will likely be focused on monitoring their service (whilst your teams need to monitor all of your organisation’s services) and, if it is compromised, there is a chance your data will not be the data taken from the vendor (unless you are particularly high profile).”

“Sadly, the days where a fully patched perimeter meant you were safe from all but the most advanced attackers are long gone,” he added. “We are entering the days where organizations need to start aiming for a perimeter scan with no ports found accessible.”

UPDATE (February 29, 2024, 12:10 p.m. ET):

The article has been amended to doubly emphasize that thought the attackers tried to achieve persistence via SparkGateway plugins, they were ultimately unsuccessful.