As part of the continual mass exploitation activity against previously disclosed and patched Ivanti flaws, China-linked threat actors are using a new malware variant in an attempt to maintain a foothold on infected appliances across system upgrades, patches and factory resets.
While investigating exploitation efforts against one of several recent flaws in Ivanti Connect Secure and Policy Secure - a server-side request forgery bug (CVE-2024-21893) - Mandiant researchers found Chinese cyber espionage operator UNC5325 using a combination of living-off-the-land tactics and various strains of malware to evade detection and set up persistence mechanisms on impacted devices.
“UNC5325’s TTPs and malware deployment showcase the capabilities that suspected China-nexus espionage actors have continued to leverage against edge infrastructure in conjunction with zero days,” according to researchers in an analysis this week. “Mandiant expects UNC5325 as well as other China-nexus espionage actors to continue to leverage zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.”
In “limited” incidents, researchers observed attackers using SparkGateway plugins in their attacks. SparkGateway is a legitimate Ivanti Connect Secure component that facilitates the use of remote access protocols like RDP over a browser, but attackers have been abusing the component to inject a shared object through the Java Native Interface.
This shared object - which consisted of malware that researchers classify as LITTLELAMB.WOOLTEA - then deployed backdoors and attempted to set up a deep level of persistence. The malware called a function to append its malicious components to an archive (/data/pkg/data-backup.tgz) in an attempt to survive system upgrades and patches, for instance. The malware also contains a function that continually monitors the filesystem for system upgrade events, and if such an event exists it appends its components into an archive that is decompressed during system upgrade processes.
“UNC5325’s TTPs and malware deployment showcase the capabilities that suspected China-nexus espionage actors have continued to leverage against edge infrastructure in conjunction with zero days."
“During a system upgrade or when applying a patch, data-backup.tgz contains a backup of the data directory that is restored after the upgrade event,” said Mandiant researchers. “In addition, the function timestomps data-backup.tgz by calling utimensat. This modification would ensure its malicious components (plugin.jar, libchilkat.so, and gateway.conf) persist across system upgrades and patches.”
The incidents - while they were unsuccessful in ensuring persistence for factory resets - reflect how Chinese threat actors are going the extra mile to maintain a foothold on infected systems. For end users of products impacted by vulnerabilities, such a deep level of persistence causes pain points for remediation efforts. Last year, an “aggressive” China-linked actor (UNC4841) targeted the well-known Barracuda Email Security Gateway (ESG) appliance flaw, and deployed additional tooling in the attacks allowing them to maintain their presence on infected appliances. Barracuda at the time urged certain impacted customers to replace their ESG appliances.
“Similar to UNC4841’s familiarity with Barracuda ESGs, UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets,” said researchers. “While the limited attempts observed to maintain persistence have not been successful to date due to a lack of logic in the malware's code to account for an encryption key mismatch, it further demonstrates the lengths UNC5325 will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches.”
Ivanti, for its part, has rolled out patches for this vulnerability and other related ones in Connect Secure and Policy Secure. Customers are being urged to immediately apply the patches, and Mandiant researchers said a new version for the external Integrity Checking Tool (ICT) is available to help customers detect persistence attempts like these.
“The exploitation of the Ivanti zero-days has likely impacted numerous appliances,” said researchers. “While much of the activity has been automated, there has been a smaller subset of follow-on activity providing further insights on attacker tactics, techniques, and procedures (TTPs). Mandiant assesses additional actors will likely begin to leverage these vulnerabilities to enable their operations.”