Chinese hackers are deploying new
The exploitation of security flaws in Ivanti Connect Secure VPN devices has been linked to at least two different suspected China-linked cyber espionage clusters, identified as UNC5325 and UNC3886.
UNC5325 distributed a wide range of brand-new malware called LITTLELAMB using CVE- 2024- 21893. According to Mandiant, Woolea, PITSTOP, PITDOG, PITJET, and PITHOOK all made attempts to maintain persistent access to compromised appliances.
Due to source code overlaps in LITTLELAMB, the Google-owned threat intelligence company has concluded with a reasonable degree of certainty that UNC5325 and UNC3886 are related. WOOLTEA and PITHOOK both use malware, respectively.
UnC3886 has a track record of utilizing zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants, including VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP.
According to Mandiant researchers, “UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the United States and [ Asia-Pacific ] regions.”
According to UNC5325, the active exploitation of CVE- 2024- 21893, a server-side request forgery ( SSRF ) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, started on January 19, 2024, and targeted a select number of devices.
In some cases, additional payloads have been dropped using legitimate Ivanti components, such as SparkGateway plugins. A malicious shared object codenamed LITTLELAMB is loaded using the PITFUEL plugin. WOOLTEA is a system update event, patch, and factory reset tool that can be used to keep track of changes.
It further demonstrates the lengths UNC5325 will go to keep access to priority targets and highlights the importance of making sure network appliances have the most recent updates and patches, according to the company. The company noted that the few attempts to maintain persistence have not been successful to date due to a lack of logic in the malware’s code to account for an encryption key mismatch.
Additionally, it serves as a backdoor that supports SOCKS proxy, network traffic tunneling, file management, shell creation, command execution, and file management.
Another malicious SparkGateway plugin, known as PITDOG, injects a shared object called PITHOOK to persistently execute a PITSTOP implant that is intended for file write, file read, and file write on the compromised appliance.
The threat actor was described by Mandiant as having “proven advanced knowledge of the appliance and their ability to subvert detection throughout this campaign” and using living-off-the-ground ( LOTL ) techniques to fly under the radar.
The cybersecurity firm predicted that “UNC5325 as well as other China-nexus espionage actors will continue to use zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.”
Links Found Between UTA0178 and Volt Typhoon
Dragos, an industrial cybersecurity firm, attributed China-sponsored Volt Typhoon ( also known as Voltzite ) to reconnaissance and enumeration efforts aimed at numerous U.S.-based electric companies, emergency services, telecommunication providers, defense industrial bases, and satellite services.” Voltzite’s actions toward U.S. electric entities, telecommunications, and GIS systems represent clear objectives that can be exploited in the future with destructive or disruptive cyberattacks,” it said.
Evidence linking the adversary to UTA0178, a threat activity group linked to the zero-day exploitation of Ivanti Connect Secure flaws in early December 2023 has since expanded to include African electric transmission and distribution providers.
The cyber-espionage actor, who heavily relies on LotL techniques to avoid detection, joins two other emerging organizations that were exposed in 2023 and are conducting long-term reconnaissance and intellectual property theft operations against crucial infrastructure and government entities.
” Voltzite prefers to run their operations with as little of a footprint as possible,” Dragos said. Voltzite puts a lot of emphasis on long-term persistent access and detection evasion, with the goal of long-term data exfiltration and espionage.
( The article has been updated to emphasize that the VPN appliances ‘ attempts to maintain persistence were unsuccessful. )