Priya Patel
TLDR:
- Multiple China-based hacker groups exploiting Ivanti security flaws have been identified by researchers.
- These groups have been linked to zero-day exploitation of three security flaws impacting Ivanti appliances.
In a recent report, researchers have identified multiple China-based hacker groups exploiting Ivanti security flaws. These groups have been linked to zero-day exploitation of three security flaws impacting Ivanti appliances. The clusters of threat actors, tracked under different monikers by Mandiant, have been leveraging custom malware and creating backdoors to gain access to target environments.
One of the notable groups, UNC5330, has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances since February 2024. This group has been using custom malware like TONERJAM and PHANTOMNET for post-compromise actions. Another group, UNC5337, has been infiltrating Ivanti devices since January 2024 using a custom malware toolset called SPAWN to function as a stealthy and persistent backdoor. Mandiant believes UNC5337 and UNC5221 are the same threat group, utilizing tools to avoid detection.
UNC5221, previously attributed to web shells, has recently deployed a Perl-based web shell known as ROOTROT to exploit Ivanti security flaws. This deployment has led to network reconnaissance, lateral movement, and even the compromise of a vCenter server in some cases through a Golang backdoor called BRICKSTORM.
These findings highlight the ongoing threat faced by edge appliances from sophisticated espionage actors who use a combination of zero-day flaws, open-source tooling, and custom backdoors to evade detection and maintain long-term access to target networks.
