Chinese threat actors developed new techniques to move laterally after exploiting Ivanti vulnerabilities, a new study from Mandiant has found.
The activities of five suspected China-linked spy groups were detailed by Mandiant in an April 4 blog post.
The activity follows the exploitation of vulnerabilities CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893, previously identified in Ivanti Connect Secure and Ivanti Policy Secure gateways.
One of these groups, identified as UNC5291, was assessed by Mandiant with medium confidence as Volt Typhoon, which targets the US energy and defense sectors.
Additionally, Mandiant said it has identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, which could enable operations such as crypto-mining.
In total, the analysis observed eight distinct clusters involved in exploiting one or more of these Ivanti CVEs.
The report follows a urgent warning by the Five Eyes countries on February 29, that cyberthreat actors are exploiting these vulnerabilities, which have been released early 2024.
From April 3, a patch is readily available for each supported version of Ivanti Connect Secure affected by the vulnerabilities.
Organizations are also recommended to use the new and improved version of Ivanti. External Integrity Verification Tool (TIC)also released on April 3, to detect potential malware persistence attempts during factory resets and system upgrades as well as other tactics, techniques, and procedures (TTPs) observed in the wild.
New TTPs for post-mining lateral movements
Mandiant has observed that Chinese groups are exploiting new malware following the exploitation of Ivanti Connect Secure appliances. These tools are designed to allow lateral movement while avoiding detection.
SPAWN malware family
During a Mandiant analysis Following a compromise by the UNC5221 threat actor, four separate components of the SPAWN custom malware toolset were used together to create a stealthy and persistent backdoor on an infected appliance.
This malware family is also designed to allow long-term access and avoid detection. It is made up of:
- FRAISON. An installer that leverages a coreboot installer function to establish persistence of the SPAWNMOLE TBM and the SPAWNSNAIL backdoor.
- SPawnMOLE. A tunnel boring machine that injects into the web process. It hijacks the accept function of the web process to monitor traffic and filter malicious traffic coming from the attacker.
- Spawning snail. A backdoor that listens on localhost
- SPawnSLOTH. A log tampering utility injected into the dslogserver process. It can disable logging and disable forwarding of logs to an external Syslog server when the SPAWNSNAIL backdoor is working.
ROOTROT Web Shell
In the same investigation into an Ivanti Connect Secure appliance compromised by UNC5221, Mandiant also identified the use of a new web shell identified as ROOTROT.
This web shell is written in Perl and is embedded in a legitimate Connect Secure .ttc file. It allows attackers to parse the issued Base64 decoded command and execute it with eval.
ROOTROT is believed to have been created on the system before the public disclosure of associated CVEs on January 10, 2024, suggesting a targeted attack.
Deploying ROOTROT on a Connect Secure appliance resulted in UNC5221 initiating network awareness and lateral movement to a VMware vCenter server.
BRICKSTORM backdoor
UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance.
BRICKSTORM is a Go backdoor targeting VMware vCenter servers, which has the ability to configure itself as a web server, perform file system and directory manipulations, perform file operations such as download/ downloading, executing shell commands, and performing SOCKS relaying BRICKSTORM communications over WebSockets. to a hardcoded C2.
SILVER C2
In another intrusion, the UNC5266 threat actor deployed copies of the SLIVER command and control (C2) framework. Copies of SLIVER were placed in three separate locations on the compromised appliance, attempting to masquerade as legitimate system files.
UNC5266 modified a systemd service file to register one of the copies of SLIVER as a persistent daemon.
TERRIBLE TEA
In another exploit, UNC5266 deployed a Go backdoor named TERRIBLETEA. This Go backdoor communicates over HTTP using XXTEA for encrypted communications and has multiple features including executing commands, logging keystrokes, and interacting with the file system.
TERRIBLETEA can also take different execution paths depending on the environment it is configured for.
Active Directory compromise due to lateral movement
Another technique observed by researchers was that of the UNC5330 group, which chained CVE-2024-21893 and CVE-2024-21887 for initial access.
UNC5330 exploited an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows certificate template, created a computer object, and requested a certificate for a domain administrator.
The threat actor then impersonated the domain administrator to perform subsequent DCSyncs to extract additional credentials to move laterally.
Mandiant said its findings highlight the ongoing threat edge devices face, with a wide range of TTPs in use following successful exploitation.
“While the use of open source tools is quite common, Mandiant continues to observe actors exploiting custom malware tailored to the actor’s targeted appliance or environment,” the researchers wrote.