Multiple China-Linked Groups Attacking Ivanti Vulnerabilities

Patches have been made available by Ivanti

Multiple China-Linked Groups Attacking Ivanti Vulnerabilities

Researchers from cybersecurity firm Mandiant have identified multiple China-linked hacker groups exploiting security vulnerabilities in Ivanti appliances to gain unauthorized access to targeted networks.

According to Mandiant, eight threat groups, including UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and the previously identified UNC3886, have been exploiting zero-day vulnerabilities, notably CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, to breach Ivanti Connect Secure and Ivanti Policy Secure gateways.

These zero-days provide adversaries with opportunities for unauthorized access and subsequent exploitation of targeted networks.

Among the identified threat groups, Mandiant highlights UNC5291, which it assesses with medium confidence to be associated with Volt Typhoon, focusing primarily on the U.S. energy and defense sectors.

While UNC5291 targeted Citrix Netscaler ADC in December 2023, it shifted its focus to probing Ivanti Connect Secure appliances in mid-January 2024, although no successful compromise was observed by the researchers.

Mandiant says UNC5221 is the only group that has been exploiting CVE-2024-21887 and CVE-2023-46805 since their pre-disclosure time period (early December 2023). Following public disclosure of these vulnerabilities in January 2024, the researchers observed UNC5221 intensifying its exploitation efforts, posing a significant threat to many organizations.

Mandiant created the identifier UNC5266 to track post-disclosure exploitation that led to the deployment of various malware families, including a new one, a backdoor named TERRIBLETEA. The cybersecurity firm suspects that UNC5266 overlaps with UNC3569, another China-linked espionage actor previously observed exploiting vulnerabilities in Microsoft Exchange, Aspera Faspex and Oracle Web Applications Desktop Integrator.

Since February 2024, UNC5330 has been detected chaining CVE-2024-21887 and CVE-2024-21893 to infiltrate Ivanti Connect Secure VPN appliances. After compromising these systems, UNC5330 has engaged in activities such as deploying the PHANTOMNET Trojan and its launcher TONERJAM.

UNC5330 has also used Windows Management Instrumentation (WMI) for reconnaissance purposes, lateral movement within networks, manipulation of registry entries, and establishing persistence measures.

Another group, UNC5337, compromised Ivanti Connect Secure VPN appliances as early as January 2024. Using vulnerabilities like CVE-2023-46805 and CVE-2024-21887, UNC5337 successfully infected these appliances, deploying a range of custom malware families including the SPAWNSNAIL passive backdoor, SPAWNANT installer, SPAWNMOLE tunneller, and SPAWNSLOTH log tampering utility.

Mandiant suspects UNC5337 may be affiliated with UNC5221.

The researchers say they have identified advanced tactics employed by these threat actors to infiltrate target environments and move laterally within them.

Aside from the suspected China-nexus espionage groups, Mandiant researchers have uncovered evidence of financially motivated actors exploiting vulnerabilities like CVE-2023-46805 and CVE-2024-21887.

Fortunately, patches for all supported versions of Ivanti Connect Secure affected by these vulnerabilities have been made available as of 3rd April 2024.

Mandiant is now urging organizations to follow Ivanti's latest patching guidance diligently to mitigate the risk of further exploitation.

This story originally appeared on our sister site Computing.