Keypoints
- Volexity identified in-the-wild exploitation of two chained zero-days in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887) that allowed unauthenticated RCE.
- Attackers backdoored legitimate components (e.g., compcheckresult.cgi, lastauthserverused.js) and deployed custom webshells named GLASSTOKEN for persistence and command execution.
- Credential harvesting was performed by modifying login JavaScript to POST base64-encoded credentials to attacker domains, enabling lateral movement via RDP, SMB, and SSH.
- Evidence included cleared/disabled logs, modified Integrity Checker records, and network activity such as curl requests, SSH/SOCKS tunnels, and connections to attacker-controlled IPs/domains.
- Forensic artifacts recovered included modified Perl/Perl-script chains (sessionserver.pl/.sh), temporary proxy utilities (s.py/PySoxy), and snapshots of new/mismatched files identified by the Integrity Checker Tool.
- Detection methods recommended: analyze network traffic from the appliance, enable and review unauthenticated request logging, and run Ivanti’s Integrity Checker (after collecting memory/disk if compromise is suspected).
- Response guidance: collect memory and disk images before rebooting, analyze for webshells and credential theft, rotate compromised credentials, and investigate lateral movement and exposed systems.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Two zero-day exploits were chained to achieve unauthenticated RCE: ‘Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE).’
- [T1505.003] Web Shell – Attacker placed webshells on multiple servers for persistence and remote execution: ‘placing webshells on multiple internal and external-facing web servers.’
- [T1056.001] Input Capture (Keylogging) – JavaScript on the Web SSL VPN login page was modified to capture and exfiltrate credentials by POSTing them to an attacker domain: ‘modified the file lastauthserverused.js… modifying the “Login” function to POST user credentials to an attacker-controlled domain.’
- [T1021] Remote Services – Lateral movement occurred using compromised credentials over RDP, SMB, and SSH: ‘Lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH.’
- [T1003] Credential Dumping – The attacker dumped LSASS memory and extracted a domain controller NTDS.DIT from VHD backups to harvest credentials: ‘dump the memory of the LSASS process to disk using Task Manager’ and ‘extracted the Active Directory database ntds.dit file.’
- [T1070/T1562] Indicator Removal / Impair Defenses – The actor wiped and disabled logging and altered files to evade the Integrity Checker Tool: ‘logs had been wiped and logging had been disabled’ and ‘making changes to the system to evade the ICS Integrity Checker Tool.’
Indicators of Compromise
- [IP address] attacker infrastructure and interactions – 206.189.208.156 (DigitalOcean IP tied to UTA0178), 75.145.243.85 (observed interacting with compromised device), and multiple additional IPs linked to Cyberoam proxy network.
- [Domain] credential collection & attacker domains – symantke[.]com (domain used to collect credentials), gpoaccess[.]com (suspected UTA0178 domain), and webb-institute[.]com.
- [Filename] modified/added files on ICS VPN appliance – /home/webserver/htdocs/dana-na/auth/compcheckresult.cgi (backdoored CGI allowing command execution), /home/webserver/htdocs/dana-na/auth/lastauthserverused.js (modified to exfiltrate credentials), and /home/etc/sql/dsserver/sessionserver.pl (scripts used to remount FS and deploy webshells).
- [Tool/Artifact] proxy utility and webshells – recovered PySoxy-like proxy (s.py) carved from disk and GLASSTOKEN webshell variants deployed to Internet-facing and internal servers.
Volexity’s forensic analysis reconstructed the exploit chain: two zero-day vulnerabilities (CVE-2023-46805 — authentication bypass, CVSS 8.2; and CVE-2024-21887 — command injection, CVSS 9.1) were chained to grant unauthenticated command execution on Ivanti Connect Secure appliances. The attacker used scripts and modified Perl modules (e.g., /home/etc/sql/dsserver/sessionserver.pl and sessionserver.sh) to remount the filesystem read/write, modify legitimate components, and insert a webshell into compcheckresult.cgi; they also altered lastauthserverused.js to POST base64-encoded credentials to attacker-controlled domains.
Post-exploitation activity focused on persistence, credential harvesting, and lateral movement. The actor deployed GLASSTOKEN webshell variants (one with ReGeorg-like tunneling, one with direct code execution), ran a Python SOCKS proxy (PySoxy-like s.py) from /tmp, dumped LSASS memory and extracted ntds.dit from mounted VHD backups, and used compromised credentials to pivot via RDP/SMB/SSH. They also disabled/cleared logs and modified Integrity Checker exclusions to hide changes, and performed outbound connections (curl to ip-api[.]com, SSH/SOCKS tunnels) and downloads from compromised Cyberoam appliances.
For detection and response: analyze outbound and inbound traffic from the appliance for anomalous curl/SSH/SOCKS/unknown encrypted connections; enable and review “Unauthenticated Requests” logging and Integrity Checker events (SYS32039/SYS32040) for new or mismatched files; collect memory and disk images and Integrity Checker snapshots before running tools that reboot the device; if compromise is confirmed, treat all stored secrets as exposed, rotate credentials/secrets, hunt for lateral movement and webshells on internal hosts, and perform full forensic analysis and remediation (noting that mitigations/patches do not remove prior compromise).