SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Advanced Persistent Threat Protection
#
Cybersecurity
#
CIO
Mandiant reveals threats to Ivanti Connect Secure appliances
Mon, 8th Apr 2024
Author image
By Tom Raynel, Managing Editor
Follow us

Mandiant, the cybersecurity firm, today disclosed new findings on threat actors exploiting vulnerabilities in Ivanti Connect Secure appliances. The exploited appliances were either unpatched or did not have the necessary mitigation methods in place. Mandiant's research is a comprehensive analysis of post-exploitation actions on such appliances.

Through numerous response investigations to these cybersecurity incidents, Mandiant's study highlighted five unique threat clusters (known as UNCs) that have been implicated in the exploitation of one or more Ivanti CVEs since 10 January 2024. Alongside the China-nexus espionage groups already suspected, Mandiant stated that profit-motivated actors were also found to be exploiting CVE-2023-46805 and CVE-2024-21887. It's suspected that these exploitations are primarily facilitating operations like cryptocurrency mining.

The research also led to other significant discoveries. It was observed that threat actors have been using Windows Management Instrumentation (WMI) for various nefarious purposes, including reconnaissance, lateral movement, manipulation of registry entries, and establishing a persistent presence on the victim's network. Mandiant also pointed out the increased use of open-source tools such as SLIVER and CrackMapExec by certain threat actors to maintain their foothold upon successfully compromising a vulnerable Ivanti Connect Secure appliance.

Focusing on individual clusters, UNC5291 (assessed with ‘medium confidence’ by Mandiant to be Volt Typhoon) drew attention. After initially targeting Citrix Netscaler ADC in December 2023, it began probing Ivanti Connect Secure appliances in mid-January 2024. Mandiant, however, noted they have yet to observe Volt Typhoon, or any UNCs suspected of being linked with Volt Typhoon, as having successfully compromised Ivanti Connect Secure systems.

The researchers have identified four distinct families of malware that collaborate to develop a stealthy and persistent backdoor within infected appliances. These families are 'SPAWNANT', an installer that sets up and sustains the backdoor and 'SPAWNMOLE', a tunneler that helps to filter out malicious traffic originating from the attacker. The other two are 'SPAWNSNAIL', an SSH backdoor bound to localhost and injects 'SPAWNSLOTH', the final addition, which disables event log generation and forwarding.

This recent research report calls attention to the renewed necessity of ensuring all digital appliances are appropriately patched and have the right mitigation processes in place. As demonstrated, these cybersecurity vulnerabilities can lead to a range of exploitations, both from state-level threat actors and financially driven cybercriminals. Companies and organisations must, therefore, recognise the integral role proactive cybersecurity hygiene plays in protecting sensitive information and systems.

Related stories
Zscaler introduces enhanced ZDX service for improved IT operations
Exclusive: How Darktrace is tackling AI-driven cybersecurity
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
GitHub's 2FA initiative helps secure software supply chain
New Zealand online daters turn to AI for love amid increased scams
Top stories
Kaspersky boosts email security features after 77% of firms hit by cyber attacks
Portnox teams up with Bugcrowd for private bug bounty programme
Barracuda report explores challenges in managing cyber risks
Radware unveils AI-powered DNS DDoS protection solution
DigiCert recruits seasoned CMO Atri Chatterjee in quest for $1bn revenue