Keypoints
- Volexity captured and analyzed a memory sample that enabled reconstruction of a chained pair of zero-day exploits leading to unauthenticated RCE on Ivanti Connect Secure VPN appliances.
- String-based IOCs in memory (notably base64-decoded payloads) revealed commands like “/bin/bash /tmp/5” executed via uwsgi processes, indicating hands-on-keyboard activity and in-memory payloads.
- Memory analysis exposed the full malicious HTTP POST request path: /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection, confirming the vulnerable API endpoint and directory traversal usage.
- Memory contained attacker IP addresses (e.g., 98.160.48.170 and 173.220.106.166) and evidence of SSH connect-back sessions from uwsgi processes, providing remote root-level access.
- Attackers cleared disk logs and modified the built-in Integrity Checking Tool to evade detection, making memory capture essential before running integrity checks that reboot the device.
- Volexity used Volcano to automate IOC searches and to inspect process memory, syscall/interrupt tables, TTY handlers, Netfilter stack, kernel module state, and injected shared libraries for advanced artifact discovery.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Chained two zero-day exploits to achieve unauthenticated remote code execution on the VPN appliance ( ‘Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE).’ )
- [T1059] Command and Scripting Interpreter – Attacker executed shell commands decoded from base64 in memory, e.g., ‘/bin/bash /tmp/5’ ( ‘Decoding the base64 data revealed some obviously malicious commands, including … runs /tmp/5 as a bash script.’ )
- [T1105] Ingress Tool Transfer – Payloads were staged to /tmp and executed from memory, shown by base64 pipelines writing and invoking /tmp/5 ( ‘…|base64 -d … /bin/bash /tmp/5 2>&1|base64’ )
- [T1021.002] Remote Services: SSH – Memory shows processes initiating SSH connect-back sessions to attacker IPs, enabling remote shell access ( ‘…code running within another uwsgi process … was initiating SSH connections back to the attacker’s IP address.’ )
- [T1070.004] Indicator Removal on Host: File Deletion – Attackers removed or cleared log files from disk to hide activity ( ‘Volexity observed attackers clearing log files from disk.’ )
- [T1562.001] Impair Defenses: Disable or Modify Tools – Threat actor surreptitiously modified the Ivanti Integrity Checking Tool to evade detection ( ‘Volexity shared evidence that a threat actor had surreptitiously modified that tool in order to evade detection.’ )
Indicators of Compromise
- [IP Address] Attacker infrastructure – 98.160.48.170 (attributed to compromised Cyberoam devices), 173.220.106.166
- [HTTP Path] Vulnerable API endpoint – POST /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection
- [File/Command] In-memory payloads / temporary scripts – ‘/tmp/5’ executed via ‘/bin/bash /tmp/5’, and base64-encoded command fragments found in uwsgi memory
- [Process] Targeted processes – uwsgi processes (e.g., PID 2952 running restservice.api and PID 31694 running cav.api) running as root
Volexity’s technical response prioritized immediate memory acquisition and analysis using their Volcano tooling to reconstruct the exploit chain and capture volatile artifacts. Analysts ran string-based automatic IOCs against the uwsgi process memory, discovering base64-encoded POST payloads that decoded to commands like “/bin/bash /tmp/5”, and used hex/heap inspection to recover a full malicious HTTP POST header containing the trigger path with directory traversal: POST /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection. Memory also contained attacker IPs linked to compromised Cyberoam devices and showed multiple uwsgi instances (restservice.api and cav.api) executing attacker-driven actions.
Further memory investigation revealed evidence of SSH connect-back sessions initiated from uwsgi processes, yielding root-level access because those services ran as UID 0. Disk logs had been cleared by the attacker, and the built-in Integrity Checking Tool was found to have been modified to evade detection, demonstrating why capturing memory before running integrity checks (which reboot the device) is critical. Volexity’s workflow included auditing syscall and interrupt tables, TTY handlers, Netfilter state, loadable kernel modules, and injected shared libraries to detect stealthy persistence or in-memory-only artifacts that would not appear on disk.
From triage to proof-of-concept generation, memory forensics enabled rapid confirmation of exploitation, identification of exact attacker commands and vulnerable API endpoints, and recovery of working exploit scripts—capabilities that disk imaging or logs alone could not provide when attackers remove traces or rely on in-memory execution and built-in OS tools like SSH for lateral access.