Threat Research

Advanced Cybercriminals Rapidly Diversify Cyberattack Channels Following Public Vulnerability Disclosure

Securonix

Threat actors are rapidly diversifying cyberattack channels after public Ivanti vulnerabilities were disclosed, aiming to compromise Ivanti edge devices for footholds and high-value data access. EclecticIQ notes a mix of moderate-to-advanced cybercriminals and advanced persistent threats exploiting these weaknesses opportunistically, using backdoored web components, new and existing infrastructure, and varied delivery channels to raise risk at internet-facing endpoints.

Keypoints

  • Ivanti web components suffered zero-day and n-day vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888) exploited to gain access and escalate privileges.
  • Exploitation pressures are expected to rise, with attackers switching to opportunistic targets to obtain high-value data and privileged credentials.
  • A backdoor is described via compcheckresult.cgi, a legitimate CGI file turned into a persistent webshell for ongoing access.
  • Two malicious files (b901cba30e2dd5bbf759fd8b72b8d2dd2e50e58bcf1a96b3983effcf881fec27 and f266fec702b13c771f0e5d6424f449696499809896d9cf8bd1288b0f6ea7e836) tie to broader malicious infrastructure and C2 activity.
  • The C2 domain symantke.com and related IPs link to a mix of past campaigns (including GH0STRAT) and new activity, with multiple compromised/obsolete web servers using vulnerable JQuery versions.
  • Layered security measures are recommended (MFA for admins, network segmentation, least privilege) to mitigate expanded attack surfaces.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to target Ivanti web components with zero-day and n-day vulnerabilities; ‘Zero-day and n-day vulnerabilities in Ivanti security system web components published beginning January 10’.
  • [T1059] Command and Scripting Interpreter – Exploitation includes ‘command-injection in multiple web components’ to execute commands via web interfaces; ‘CVE-2024-21887 – command-injection in multiple web components’.
  • [T1068] Privilege Escalation – Privilege escalation to ADMIN observed in Ivanti vulnerability chain; ‘CVE-2024-21888 – privilege escalation to ADMIN’.
  • [T1505.003] Web Shell – Backdooring a legitimate CGI file (compcheckresult.cgi) to produce a webshell for persistent access; ‘This is a file exploited to produce a webshell for persistent access’.
  • [T1071.001] Web Protocols – C2 communications via a domain (symantke.com) for credential exfiltration; ‘The primary command and control domain identified for the exfiltration of credentials, symantke[.]com …’
  • [T1041] Exfiltration Over C2 Channel – Exfiltration of credentials through the C2 infrastructure linked to web domains and IPs; ‘exfiltration of credentials’.

Indicators of Compromise

  • [IP] context – 47.103.219.77 (Hangzhou, CN) and at least 10 antivirus lists mark it as malicious; domain registration last modified 28.11.2023; linked to 2021 GH0STRAT activity.
  • [IP] context – 91.243.44.63 (BE), 198.12.81.50, 51.161.42.94, 172.245.191.17, 107.172.73.152 (CA)
  • [IP] context – 87.236.146.34 (EE), 185.140.248.17 (FR), 92.38.135.99 (KR), 195.123.210.174 (LV)
  • [IP] context – 185.141.26.236, 45.140.146.34 (MD), 185.117.75.123, 195.123.220.220 (NL), 40.125.65.33 (US)
  • [Domain] context – symantke[.]com – C2 domain used for credential exfiltration.
  • [File hash] context – b901cba30e2dd5bbf759fd8b72b8d2dd2e50e58bcf1a96b3983effcf881fec27, f266fec702b13c771f0e5d6424f449696499809896d9cf8bd1288b0f6ea7e836
  • [File hash] context – Related files linked to Cobalt Strike signatures (GCTI).