Keypoints
- UNC5221 exploited CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) against Ivanti Connect Secure and Policy Secure appliances beginning as early as Dec 2023.
- The actor deployed multiple custom malware families (ZIPLINE, THINSPOOL, LIGHTWIRE, WIREFIRE, WARPWIRE) to gain persistent backdoors, trojanize legitimate files, and harvest credentials.
- Post-exploitation steps included remounting the filesystem read/write via a Perl script (sessionserver.pl), installing THINSPOOL to drop the LIGHTWIRE web shell, and using BusyBox and PySoxy for tunneling.
- ZIPLINE is a passive ELF backdoor that hijacks accept() to receive encrypted commands (file upload/download, reverse shell, proxy/tunneling) and manipulates installer files and Ivanti Integrity Checker exclusion lists to evade detection.
- LIGHTWIRE (Perl) and WIREFIRE (Python) are lightweight web shells enabling arbitrary command execution and file upload; WARPWIRE is a JavaScript credential harvester that sends Base64-encoded credentials to a C2 (e.g., symantke[.]com).
- Mandiant published YARA rules and multiple MD5 signatures to detect ZIPLINE, THINSPOOL, LIGHTWIRE, WIREFIRE, and WARPWIRE and provided recommended mitigations and coordination with Ivanti for patches.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting Ivanti Connect Secure/Policy Secure vulnerabilities (‘Mandiant has identified zero-day exploitation … beginning as early as December 2023’).
- [T1059] Command and Scripting Interpreter – Execution of arbitrary commands via web shells and command injection (‘LIGHTWIRE is a web shell … to enable arbitrary command execution’).
- [T1505.003] Server Software Component: Web Shell – Trojans legitimate Connect Secure files with web shells (LIGHTWIRE, WIREFIRE) to maintain remote command capability (‘LIGHTWIRE is a web shell written in Perl CGI that is embedded into a legitimate Secure Connect file’).
- [T1574] Hijack Execution Flow – Loader/preload manipulation to hijack execution (ZIPLINE copies /etc/ld.so.preload and uses ld.so.preload behavior) (‘ZIPLINE copies /etc/ld.so.preload to /tmp/data/root/etc/ld.so.preload’).
- [T1090] Proxy – ZIPLINE implements proxy and tunneling functionality and UNC5221 used tunneling (PySoxy) for post-exploitation connectivity (‘ZIPLINE … Proxy Server; Tunneling Server’ and ‘leveraging the PySoxy tunneler’).
- [T1056.004] Input Capture: Credentials from Web Forms – WARPWIRE harvests plaintext web logon credentials and exfiltrates them to C2 (‘WARPWIRE targets plaintext passwords and usernames which are submitted via a HTTP GET request to a command and control (C2) server’).
- [T1071] Application Layer Protocol – Use of HTTP GET/POST for command-and-control and exfiltration (‘submitted to the C2 via a HTTP GET request’ and WIREFIRE responds to specific HTTP POST requests to /api/v1/cav/client/visits’).
Indicators of Compromise
- [File name] Post-compromise artifacts and droppers – compcheckresult.cgi (LIGHTWIRE), sessionserver.sh (THINSPOOL), lastauthserverused.js (WARPWIRE), visits.py (WIREFIRE)
- [Script/tool] Utility scripts used in deployment – sessionserver.pl (Perl remount helper), libsecure.so.1 (ZIPLINE backdoored library)
- [Domain] WARPWIRE C2 – symantke[.]com (example WARPWIRE callback)
- [Hashes] Detector signatures / YARA md5s – 6de651357a15efd01db4e658249d4981 (WIREFIRE), 3d97f55a03ceb4f71671aa2ecf5b24e9 (LIGHTWIRE), and 2 more hashes
Following successful exploitation of CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection), operators executed a short Perl helper (sessionserver.pl) to remount the Connect Secure filesystem read/write, set executable permissions, run a helper shell (sessionserver.sh), and then remount read-only to evade easy discovery; example sequence: system(“mount -o remount,rw /”); system(“chmod a+x /home/etc/sql/dsserver/sessionserver.sh”); system(“/home/etc/sql/dsserver/sessionserver.sh 1>/dev/null 2>/tmp/errlog”); system(“mount -o remount,ro /”). This remount step enabled deployment of THINSPOOL, a shell-script dropper that writes the LIGHTWIRE Perl CGI web shell into an existing Connect Secure file and can re-insert that web shell after updates to maintain persistence.
ZIPLINE is a passive ELF backdoor implanted by trojanizing libsecure.so (libsecure.so.1). It hooks the accept() call to inspect incoming connections, triggers when it detects an OpenSSH banner (‘SSH-2.0-OpenSSH_0.3xx’), then receives an encrypted header specifying commands. ZIPLINE supports file upload/download, reverse shell execution (/bin/sh), proxy server, and multi-endpoint tunneling; it also manipulates installer artifacts and the Ivanti Integrity Checker exclusion_list (adding itself and appending its SHA256 to installer bom_files) and edits /pkg/do-install and ./installer/do-install via sed commands to avoid installer-based detection.
LIGHTWIRE (Perl) and WIREFIRE (Python) provide lightweight remote command execution and file upload: LIGHTWIRE intercepts compcheckresult.cgi requests with parameters comp=comp and compid (Base64 + RC4) to decode and eval Perl content; WIREFIRE is trojanized logic responding to POSTs to /api/v1/cav/client/visits, saving uploaded files when formdata ‘file’ exists or decoding data after a GIF header, then zlib-compressing and AES-encrypting command output returned in JSON. WARPWIRE is JavaScript embedded in a legitimate file that captures plaintext web logon credentials (Base64-encoded with btoa()) and exfiltrates them via HTTP GET to a C2 such as symantke[.]com. Detection suggestions include scanning for the listed filenames, YARA rules/MDB hashes provided by Mandiant, and monitoring for the described remount and sed modification behaviors.
Read more: https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day