Chinese hackers exploit Ivanti VPN flaw to deploy new malware

Ivanti VPN flaws

At least two different cyber espionage clusters suspected of being linked to China have been tracked as UNC5325 and UNC3886has been attributed to the exploitation of a security vulnerability in Ivanti Connect Secure VPN devices.

Mandiant said that UNC5325 abused CVE-2024-21893 to spread a series of new malware named LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET and PITHOOK and maintain persistent access to infected devices.

Google’s Threat Intelligence firm assesses with medium confidence that UNC5325 is related to UNC3886 because the source code in LITTLELAMB.WOOLTEA and PITHOOK overlaps with malware used by the latter.

Notably, UNC3886 has a track record of exploiting zero-day flaws in Fortinet and VMware solutions to deploy various implants such as VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP.

“UNC3886 primarily targets defense industrial base, technology and telecommunications organizations located in the United States and [Asia-Pacific] region,” Mandiant researchers said.

CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, UNC5325 This is said to have occurred as early as January December 2024 19th, for a limited number of devices.

Internet security

The attack chain required combining CVE-2024-21893 with a previously disclosed command injection vulnerability tracked as CVE-2024-21887 to gain unauthorized access to vulnerable devices, ultimately leading to the deployment of a new version of BUSHWALK.

Some instances also involve the misuse of legitimate Ivanti components (such as the SparkGateway plug-in) to remove additional load. These include the PITFUEL plug-in used to load a malicious shared object codenamed LITTLELAMB.WOOLTEA, which has the ability to persist across system upgrade events, patches, and factory resets.

It also acts as a backdoor, supporting command execution, file management, shell creation, SOCKS proxying, and network traffic tunneling.

Another malicious SparkGateway plugin named PITDOG was also observed, which injects a shared object named PITHOOK to persistently execute an implant named PITSTOP, which is designed to execute shell commands on infected devices. Designed for file writing and file reading.

Ivanti VPN flaws

Mandiant described the threat actors as demonstrating “a granular understanding of the devices and their ability to subvert detection throughout their campaigns” and using Living Off the Land (LotL) techniques to fly under the radar.

The cybersecurity firm said it expects “UNC5325 and other China-linked espionage actors will continue to exploit zero-day vulnerabilities and device-specific malware on network edge devices to gain and maintain access to target environments. “

Found link between Volt Typhoon and UTA0178

The disclosure comes as industrial cybersecurity firm Dragos attributes China-sponsored surveillance and purges of Voltzite, also known as Voltzite, to multiple U.S. power companies, emergency services, telecommunications providers, the defense industrial base and satellite services. Activity.

Internet security

“Voltzite’s actions against U.S. power entities, telecommunications and GIS systems demonstrate a clear goal to identify vulnerabilities within the country’s critical infrastructure that could be exploited for future destructive or destructive cyber operations,” the statement read. attack.”

Volt Typhoon’s victim footprint has since expanded to include African transmission and distribution providers, with evidence linking the adversary to UTA0178, a threat actor linked to a zero-day attack in early December 2023 that exploited an Ivanti Connect Secure flaw .

Ivanti VPN flaws

This cyber espionage campaign, which relies heavily on LotL methods to evade detection, joins two other new groups exposed in 2023, Gananite and Laurionite, in conducting long-term reconnaissance and intellectual property theft operations targeting critical infrastructure and government entities.

“Voltzite uses very few tools and prefers to operate with as little floor space as possible,” explains Dragos. “Voltzite focuses on detecting evasion and long-term persistent access, and assessing intent for long-term espionage and exfiltration.”

Did you find this article interesting?follow us Twitter and LinkedIn to read more exclusive content from us.



Source link



from Tech Empire Solutions https://techempiresolutions.com/chinese-hackers-exploit-ivanti-vpn-flaw-to-deploy-new-malware/
via https://techempiresolutions.com/

from Tech Empire Solutions https://techempiresolutions.blogspot.com/2024/02/chinese-hackers-exploit-ivanti-vpn-flaw.html
via https://techempiresolutions.com/

Comments

Post a Comment

Popular posts from this blog

Perfecta grill uses AI to help cook steaks in 90 seconds

Image
CES is increasingly becoming a barbecue show, and companies are constantly looking for ways to bring more technology to your deck or patio. One company adding artificial intelligence technology to its spice racks is Seergerills, a British startup made up of engineers and product developers. Its flagship model, the Perfecta, can cook a one-inch-thick rib-eye steak in 90 seconds. Overall, the company says the grill looks more like a see-through countertop oven and cooks food about 10 times faster than traditional cooking methods. Inside, dual vertical infrared burners cook both sides simultaneously, which not only speeds up the process but also eliminates the need for flipping. Seergerills says the burner has a maximum temperature of 1,652 degrees Fahrenheit, and the unit even ensures crisp edges thanks to 360-degree heating. The built-in artificial intelligence chef calculates the appropriate cooking time and temperature based on the food, taking into account the desired degree of done
Read more

John Wick heads to Vegas to visit interactive attractions

Image
image: Lionsgate If you’ve ever wanted to fully immerse yourself in John Wick , Lionsgate has got you covered. Later this year, action series is becoming “immersive and interactive” tourist attractions In Las Vegas. Grace Byers on horror and comedy in ‘The Dark’ According to the press release, John Wick Experience Produced in collaboration with series director Chad Stahelski and his production company 87Eleven. The 12,000-square-foot exhibit at the city’s AREA15 campus lets visitors “experience high-stakes adventures and visit themed bars and retail stores open to the public.” Guests will be given specific tasks involving characters and images from the film. They’ll also rub shoulders with Continental employees, crime bosses, and other assassins who (presumably) don’t come into contact with Wick’s bad side at any point in the movie, all in an effort to gain access to private Continental areas and learn about the interesting secret. Jenefer Brown, exec
Read more

Ford prepares for next war, Waymo recalls its self-driving car software, another self-driving startup lays off employees

Image
TechCrunch Mobility is a weekly newsletter dedicated to all things transportation. Sign up here – just click TechCrunch Mobility – and get the newsletter in your inbox every weekend. Subscription is free. welcome back TechCrunch Mobile — A central hub for news and insights about the future of transportation.This week’s news includes BMW Security breach exposes sensitive information, federal agencies fight back against Tesla super bowl ad and a new federal investigation Fisker . But first, I want to talk about my recent visit to the law, where I met some people Ford Executives understand their priorities for 2024 and beyond. It can be said with certainty Chinese electric vehicle manufacturer and Tesla is the most important; in the view of Ford executives, low-cost electric vehicles and cutting-edge software are the best ways to stop these threats. The company’s recently revealed Skunk Works project for electric vehicles is tasked with this task. Ford Chief Financial Officer J
Read more