Keypoints
- Public PoC released on Jan 16, 2024 preceded broad exploitation of Ivanti Connect Secure VPN vulnerabilities (CVE-2024-21887, CVE-2023-46805).
- Criminal actors delivered payloads from attacker-controlled URLs and S3 buckets, deploying XMRig cryptocurrency miners and Rust-based binaries.
- Volexity located the GIFTEDVISITOR webshell on over 2,100 Ivanti Connect Secure appliances after repeated scans.
- Threat actor UTA0178 modified the built-in Integrity Checker (scanner.py inside scanner-0.1 EGG) so it always reports zero new/mismatched files to evade detection.
- Exfiltration of configuration, web logs, and database files was observed, with stolen data placed in Internet-accessible folders for remote download.
- Organizations restoring appliances must apply mitigations after importing backup configurations; importing backups first can re-enable vulnerable settings and cause re-compromise.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Ivanti Connect Secure VPN vulnerabilities were exploited after a proof-of-concept was made public (‘public proof-of-concept code for the exploit was made public’).
- [T1105] Ingress Tool Transfer – Compromised appliances downloaded payloads from attacker-controlled URLs and S3 buckets (‘download malicious code from a variety of different attacker-controlled URLs’).
- [T1505.003] Web Shell – Operators installed the GIFTEDVISITOR webshell on Ivanti devices to maintain remote access (‘GIFTEDVISITOR webshell’).
- [T1496] Resource Hijacking – Deployed XMRig cryptocurrency miners to hijack system resources for mining (‘XMRig cryptocurrency miners’).
- [T1562.001] Impair Defenses: Disable or Modify Tools – UTA0178 altered the Integrity Checker (scanner.py) so it always reports zero new/mismatched files, concealing compromises (‘always indicate no findings’).
- [T1020] Automated Exfiltration – Attackers stole configuration, web logs, and database files and placed them in Internet-accessible folders for remote download (‘placed in various Internet-accessible folders to be downloaded remotely’).
Indicators of Compromise
- [IP/URL] Download endpoints used to deliver payloads – hxxp://192.252.183[.]116:8089/u/123/100123/202401/d9a10f4568b649acae7bc2fe51fb5a98.sh, hxxp://192.252.183[.]116:8089/u/123/100123/202401/sshd
- [S3 URLs] Rust-based payload hosting – hxxp://abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/kaffMm40RNtkg, hxxp://archivevalley-media.s3.amazonaws[.]com/bbU5Yn3yayTtV
- [Mining pool] Cryptocurrency mining endpoint – auto.c3pool[.]org:19999 (used by XMRig miner)
- [Crypto wallets] Wallets credited by mining activity – 45yeuMC5LauAg18s7JPvpwNmPqDUrgZnhYwpQnbpo5PJKttK4GrjqS2jN1bemwMjrTc7QG414P6XgNZQGbhpwsnrKUsKSt5, 43uAMN5SYT45ZQqeNS6jkW5ssKjm7N4bmLT5uL49bvxGJnsPywn2zPhQA8nHc9XTGXavrstGj3pFy4geh3dV2x9uM8TfwzJ
- [File path] Modified integrity checker component – /home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg -> scanner/scripts/scanner.py (contains added code forcing zero mismatched/new file counts)
- [Webshell] Backdoor name observed on appliances – GIFTEDVISITOR (found on >2,100 Ivanti Connect Secure devices)
Vulnerable Ivanti Connect Secure VPN appliances were rapidly exploited after a public proof-of-concept appeared; attackers used those exploits to pull additional binaries from attacker-controlled HTTP endpoints and S3 buckets. Observed payloads include XMRig cryptocurrency miners configured to use auto.c3pool[.]org:19999 and Rust-based executables hosted in multiple S3 URLs. Compromise chains typically involved remote code execution via the VPN flaw, followed by Ingress Tool Transfer to retrieve and run mining or secondary payloads.
Persistent access and follow-on activity involved installing the GIFTEDVISITOR webshell and automated theft of configuration files, web logs, and databases, which were then staged in Internet-accessible folders for remote retrieval. In at least one intrusion attributed to UTA0178, attackers modified the Integrity Checker (scanner/scripts/scanner.py inside scanner-0.1 EGG) so the tool would always report zero new or mismatched files, effectively masking filesystem changes and evading detection.
For recovery and mitigation, ensure any imported backup configurations do not reintroduce vulnerable settings: import backups first, then apply the mitigation. Additionally, run the external Integrity Checker (not just the on-device tool) to detect hidden alterations, remove webshells and attacker artifacts, and apply vendor patches as soon as they are available to prevent re-compromise.
Read more: https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/