Mandiant documents multi-cluster post-exploitation activity on Ivanti Connect Secure VPN appliances exploited via public CVEs, detailing China-nexus and Volt Typhoon-associated actors, lateral movement with open-source tools and custom malware, and new malware families. A patch and enhanced integrity checker were released on April 3, 2024 to help detect and prevent these TTPs as part of a defense-in-depth approach. #IvantiConnectSecure #CVE-2023-46805 #CVE-2024-21887 #CVE-2024-21893 #VoltTyphoon #UNC5221 #UNC5330 #UNC5337 #UNC5291 #SPAWN #TERRIBLETEA #SLIVER #CrackMapExec #GOSTProxy
Keypoints
- Mandiant notes a patch is available for all affected Ivanti Connect Secure versions as of April 3, 2024 and recommends applying Ivanti’s patching guidance along with the external integrity checker tool (ICT).
- Post-exploitation activity includes lateral movement using open-source tooling and custom malware families, with actors abusing appliance-specific functionality to achieve objectives.
- Several China-nexus clusters (e.g., UNC5221, UNC5266, UNC5330, UNC5337, UNC5291) have been observed exploiting CVEs on Ivanti Connect Secure devices, alongside Volt Typhoon associations.
- UNC5330 and UNC5337 use Windows Management Instrumentation (WMI), registry manipulation, and proxy infrastructure (GOST) to propagate and persist on targets.
- New code families and tools, including SPAWN malware and TERRIBLETEA, SLIVER, and CrackMapExec, show a shift toward both custom and open-source tooling for persistence and movement.
- Ivanti released remediation and hardening guidance and an enhanced external ICT to detect malware persistence across resets and upgrades.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain initial access via exploitation of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. “exploitation of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.”
- [T1021] Lateral Movement – Lateral movement supported by the deployment of open-source tooling and custom malware families. “lateral movement supported by the deployment of open-source tooling and custom malware families.”
- [T1047] Windows Management Instrumentation – Employed WMI to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence. “Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence.”
- [T1112] Modify Registry – Manipulating registry entries as part of post-exploit activity. “manipulate registry entries.” (within the WMI-related context)
- [T1090] Proxy – Using a GOST proxy server to facilitate malicious tool deployment to endpoints. “GOST proxy to help facilitate malicious tool deployment to endpoints.”
- [T1078] Valid Accounts – SSH key reuse used to move laterally and access additional devices. “SSH key reuse in conjunction with the temporal proximity of these events.”
Indicators of Compromise
- [CVE] CVE-2023-46805, CVE-2024-21887, CVE-2024-21893 – Exploited vulnerabilities in Ivanti Connect Secure to gain initial access and later movement.
- [Malware/Code] SPAWN malware family, SPAWNSNAIL, SPAWNMOLE, SPAWNANT, SPAWNSLOTH – Four distinct malware families observed on compromised appliances for persistence and control.
- [Malware] TERRIBLETEA – A new malware family observed post-exploitation activity.
- [Tool] SLIVER – Open-source implant framework used as part of post-exploitation toolkit.
- [Tool] CrackMapExec – Open-source tool used to facilitate lateral movement and credential access.
- [Infrastructure] GOST proxy server – Server used as a proxy to enable tool deployment and lateral movement.
- [Tool/Network] FRP – Fast Reverse Proxy download attempt observed from a compromised Ivanti Connect Secure device.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement