Keypoints
- Ivanti Connect Secure and Policy Secure zero-days enabled remote arbitrary code execution; Mandiant attributed observed exploitation to UNC5221 and released initial IoCs (10 domains, 2 subdomains, 8 IPs).
- WhoisXML API expanded the IoC set by finding 3 public WHOIS emails, 33 email-connected domains, 13 additional IP addresses, 211 IP-connected domains, and 153 string-connected domains.
- Bulk WHOIS on 12 domain IoCs showed diverse registrars (Namecheap, GoDaddy, PDR, IONOS, etc.), creation dates ranging 2007–2024, and registrants across at least six countries (Iceland, U.S., Germany, South Korea, Malaysia, U.K.).
- Screenshot analysis confirmed live web content on several domain IoCs (examples: cpanel[.]netbar[.]org, areekaweb[.]com, ehangmun[.]com), indicating active hosting of some infrastructure.
- IP geolocation of initial and newly discovered IPs revealed distribution across multiple countries and ISPs (Cloudflare, DigitalOcean, Alibaba, Comcast, etc.), and Threat Intelligence flagged many of the added IPs for phishing/malware activity.
- DNS lookups, reverse IP lookups, reverse WHOIS, and wildcard/string searches (e.g., clicko*, symantke*, areekaweb*) were used iteratively to grow the infrastructure graph and identify potentially dedicated hosts and similarly behaving domains.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to exploit Ivanti Connect Secure and Policy Secure allowing arbitrary code execution: ‘…zero-day vulnerabilities affecting Ivanti Connect Secure VPN and Policy Secure were recently reported, which could allow threat actors to execute arbitrary code with high-level access.’
- [T1583] Acquire Infrastructure – Attackers registered and used extensive infrastructure (domains, IPs, emails) to support operations: ‘…discovery of three public email addresses, 33 email-connected domains, 13 additional IP addresses, 211 IP-connected domains, and 153 string-connected domains.’
- [T1595] Active Scanning – DNS and reverse-IP lookups were performed to enumerate additional hosts and IPs tied to IoCs: ‘…performed DNS lookups for the 12 domain IoCs…which led us to 13 unique IP addresses…’
- [T1592] Search Open Websites/Datasets – WHOIS history and Reverse WHOIS searches were used to pivot on exposed contact data and historical registrations: ‘WHOIS History API searches for the domain IoCs enabled us to discover 14 email addresses in their historical WHOIS records, three of which were public.’
Indicators of Compromise
- [Domains] initial and expanded domain IoCs – areekaweb[.]com, cpanel[.]netbar[.]org, and many others (10 reported by Mandiant + 211 IP-connected and 153 string-connected domains discovered).
- [IP addresses] initial and discovered IPs – 104[.]21[.]61[.]132, 172[.]67[.]209[.]167, and 11+ additional IPs identified across U.S., Germany, Netherlands, Singapore, China, Cyprus, Thailand, South Korea, and Iran.
- [Email addresses] WHOIS-derived contact emails – 3 public email addresses appeared in WHOIS history (used to find 33 email-connected domains); specific emails were not published in the article.
- [String-connected domains] pattern/wildcard discoveries – clickcomputerservices[.]com, tedtankal[.]xyz, and 145 other domains starting with strings found among IoCs (e.g., symantke*, miltonhouse*, areekaweb*).
- [Subdomains] subdomain-derived IoCs – 2 subdomains initially tagged as IoCs were expanded to parent domains during analysis (no specific subdomain examples published).
Researchers began with Mandiant’s published IoCs (10 domains, 2 subdomains, 8 IPs) and used iterative OSINT and DNS techniques to map related infrastructure. They ran bulk WHOIS lookups on domain IoCs to collect registrar, creation-date, and registrant-country metadata, and performed screenshot analysis to verify live content on several domains. WHOIS History and Reverse WHOIS searches exposed historical/unredacted contact emails, which were pivoted to discover 33 email-connected domains.
For network pivots, DNS lookups on the domain IoCs produced 13 additional IP addresses; bulk IP geolocation identified hosting countries and ISPs for each address, and Threat Intelligence queries associated many of those IPs with phishing and malware. Reverse-IP lookups on both the original and newly found IPs yielded 211 IP-connected domains, and a starts-with (wildcard/string) search found 145+ domains sharing suspicious name patterns; screenshot and WHOIS comparisons helped link similarly hosted or content-matched sites (e.g., areekaweb[.]com and tedtankal[.]xyz).
Overall, the method combined WHOIS/history analysis, DNS resolution, reverse-IP enumeration, screenshot verification, and wildcard string discovery to expand a modest IoC list into a broader infrastructure graph spanning hundreds of domains and multiple hosting providers—providing additional artifacts for further threat triage and takedown efforts.
Read more: https://circleid.com/posts/20240306-tracing-ivanti-zero-day-exploitation-iocs-in-the-dns