Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Chinese Group Runs Highly Persistent Ivanti 0-Day Exploits

UNC5325 Can Remain in Hacked Devices Despite Factory Reset and Patches
Chinese Group Runs Highly Persistent Ivanti 0-Day Exploits
Image: Shutterstock

Chinese threat actors are attempting to maintain persistence after exploiting the recent Ivanti Connect Secure VPN vulnerability even after factory resets, system upgrades and patches.* The threat actor, UNC5325, is adept at "living off the land" techniques, warned threat intelligence firm Mandiant.

See Also: Bank on Seeing More Targeted Attacks on Financial Services

Mandiant published a report explaining how UNC5325 is using novel malware such as LittleLamb.WooLTea in an attempt to maintain persistence.

Ivanti has disclosed a set of five vulnerabilities seen since Jan. 10, including CVE-2024-21893, a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA appliances. The bug, exploited by UNC5325, allows attackers to access certain restricted resources without authentication, according to Ivanti.

Mandiant drew connections between operators UNC5325 and UNC3886, citing overlaps in tactics, techniques and procedures. UNC3886 is a suspected Chinese espionage operator that also uses these vulnerabilities to primarily target the defense industrial base, technology and telecommunication organizations located in the U.S. and Asia-Pacific region.

Mandiant said the attackers deployed a nuanced variant of the BushWalk web shell to read arbitrary files and subvert detection through creative modifications.

Attackers also abused legitimate components, such as SparkGateway plug-ins, to deploy backdoors, extending their reach within compromised systems. Injecting shared objects into the SparkGateway component, threat actors created a pathway for further exploitation, allowing them to manipulate systems without detection.

The group manipulated the system's data backup mechanism and timed its actions during upgrades to secretly embed the malicious code into the updated system.

Threat actors also attempted to persist through factory resets by analyzing the hardware of the appliance and then modifying the factory reset process.

"UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets," Mandiant said. The cybersecurity firm anticipates UNC5325 and other Chinese espionage actors will persistently use zero-day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.

*Correction Feb. 29, 2024 15:18 UTC: This story has been corrected throughout to reflect that threat actor attempts to maintain persistence through factor resets, system upgrades and patches have not been successful to date.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.