Cybereason warns of Ivanti Connect Secure VPN zero-day exploitation disclosed in January 2024, with exploitation reportedly occurring as early as December 2023 and escalating after PoC release. The attacks enable unauthenticated or authenticated command execution, credential theft, persistence via web shells, and data exfiltration, including backdooring VPN components and harvesting user credentials. #IvantiConnectSecure #UNC5221 #WARPWIRE #LIGHTWIRE #WIREFIRE #CHAINLINE
Keypoints
- Ivanti Connect Secure and Policy Secure VPN appliances were exploited via disclosed zero-days (CVE-2023-46805, CVE-2024-21887) with wider activity following PoC access.
- CVE-2023-46805 enables authentication bypass, allowing unauthorized access to the VPN appliances.
- CVE-2024-21887 enables authenticated attackers to execute arbitrary commands on the appliance, facilitating data theft and control.
- Additional flaws disclosed later (CVE-2024-21888 and CVE-2024-21893) increase the attack surface with unauthenticated remote command execution and SSRF risks.
- Attackers modified legitimate Ivanti components (e.g., compcheckresult.cgi) and altered web files to capture credentials and maintain persistence, enabling lateral movement.
- Post-exploitation activity includes coinminer deployment (resource hijacking), credential harvesting (WARPWIRE), and webshell deployment (LIGHTWIRE, WIREFIRE, BUSHWALK, CHAINLINE, FRAMETESTING) for persistence.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploited Ivanti Connect Secure public-facing endpoints to gain access. “[These vulnerabilities pose severe risks, enabling unauthorized command execution and system access on Internet-facing security devices.]”
- [T1059] Command and Scripting Interpreter – The vulnerability allows an authenticated attacker to execute arbitrary commands on the appliance. “[This vulnerability allows an authenticated attacker to execute arbitrary commands on the appliance.]”
- [T1078] Valid Accounts – Exploitation includes bypassing multi-factor authentication and gaining unauthorized access. “[bypass multi-factor authentication, steal confidential information, establish covert command and control channels, and potentially disrupt critical operations.]”
- [T1003] Credential Dumping – Post-exploitation includes LSASS credential dumping. “[such as LSASS credential dumping.]”
- [T1505.003] Web Shell – Attackers deploy web shells to maintain persistence. “[Currently in the wild, there are two known types of webshells.]”
- [T1555.003] Credentials in Web Browsers – WARPWIRE harvests credentials from web logon flows. “[WARPWIRE is a Javascript-based credential harvester, which targets plaintext username and passwords.]”
- [T1496] Resource Hijacking – Coinminers are delivered to Ivanti devices to steal resources. “[deliver coinminers to the Ivanti Connect Secure appliances.]”
- [T1041] Exfiltration – Credential exfiltration and data theft occur via captured credentials. “[exfiltrate user login credentials.]”
Indicators of Compromise
- [MD5] Hashes associated with WARPWIRE and web shells – 8eb042da6ba683ef1bae460af103cc44, a739bd4c2b9f3679f43579711448786f, and 8 more hashes
- [IP] Malicious hosting and C2 infrastructure – 8.137.112.245, 50.215.39.49, and 6 more IPs
- [URL] Command-and-control and staging domains – symantke.com, secure-cama.com, and 10 more URLs
Read more: https://www.cybereason.com/blog/threat-alert-ivanti-connect-secure-vpn-zero-day-exploitation