TLDR:
- Malware named SparkCockpit and SparkTar affecting Ivanti’s Pulse Secure VPN appliances has been discovered.
- These backdoors allow attackers to hijack devices and gain unauthorized access to internal networks.
A recent investigation by the NVISO Incident Response team has revealed a critical flaw in internet-connected doorbell cameras, specifically affecting Ivanti’s Pulse Secure VPN appliances. The investigation uncovered two covert TLS-based backdoors, named SparkCockpit and SparkTar, which allow attackers to hijack these devices and gain unauthorized access to internal networks. These backdoors employ sophisticated attack techniques, with SparkTar being particularly advanced, able to survive factory resets and appliance upgrades.
SparkCockpit was deployed through an evolution of the Pulse Secure BUSHWALK web shell, offering basic upload/download capabilities and command execution. Meanwhile, SparkTar provides a more flexible toolset for attackers, including input/output streaming for commands and deeper persistence mechanisms. NVISO has created detection rules to help organizations determine if their devices have been impacted by these backdoors.
The implications of these backdoors highlight the need for increased vigilance and improved security measures for internet-connected devices. Organizations using Ivanti devices are advised to review NVISO’s report and apply the provided detection rules to safeguard against potential compromises. In conclusion, the discovery of SparkCockpit and SparkTar backdoors serves as a critical reminder of the persistent and sophisticated nature of cyber threats, emphasizing the importance of continuously enhancing security posture and resilience.