Kiinalainen vakoiluryhmä on kehittämässä haittaohjelmia, jotka voivat säilyä Ivanti edge -laitteissa jopa korjausten, päivitysten ja tehdasasetusten palauttamisen jälkeen.
Sateella sataa, ja Ivantin asiakkaille on satanut jo kuukausia. Sinä aikana, kun yhtiö paljasti kaksi korkean riskin haavoittuvuutta jotka vaikuttavat sen Connect Secure-, Policy Secure- ja Zero Trust Access (ZTA) -yhdyskäytäviin (tässä vaiheessa yli viiden viikon kuluttua varhaisesta luonnossa tapahtuneesta hyväksikäytöstä), kaksi muuta bugia ilmaantui, ja sitten viidennen. Attackers have taken advantage to such an extent that, within the US government at least, agencies were ordered to take Ivantin tuotteet out of production in order to look for signs of compromise, before performing a factory reset and patching and putting the appliance back into production.
Once-delayed patches finally began to roll out in late January, but affected customers are not out of the woods yet. Research published by Mandiant this week indicates that high-level Chinese hackers are continuing to juice Ivanti for all it’s worth, developing new and more advanced methods of intrusion, stealth, and persistence.
Yksi ryhmä, jota Mandiant seuraa nimellä UNC5325 - and whichassociates with UNC3886 — has been using living-off-the-land (LotL) techniques to skirt past customers’ defenses, and researchers say it’s only a hair’s breadth away from developing malware capable of persisting in compromised devices despite patches, or even full resets.
Tulevat pysyvyysmekanismit
UNC5325’s latest experiments with persistence raise a concerning specter, according to Mandiant.
In rare instances following CVE-2024-21893 exploitation, the group has attempted to weaponize a legitimate component of Connect Secure called “SparkGateway,” the researchers found. SparkGateway enables remote access protocols over a browser and, importantly, its functionality can be extended through plugins.
Tässä tapauksessa haitallisia laajennuksia. Esimerkiksi Pitfuel on SparkGateway-laajennus, jota ryhmä käyttää jaetun objektin LittleLamb.WoolTea lataamiseen, jonka tehtävänä on ottaa käyttöön takaovia. LittleLamb.WoolTea demonisoi itsensä toimiakseen johdonmukaisesti laitteen taustalla, ja se sisältää useita toimintoja ja komponentteja, jotka on suunniteltu mahdollistamaan pysyvyys järjestelmäpäivitysten, korjausten ja tehdasasetusten välillä.
As yet, the malware does not achieve this. Mandiant found that this is due to a simple error mismatching encryption keys, so it’s likely only a matter of time before they get it right.
“We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat,” an Ivanti spokesperson tells Dark Reading. “To be clear, the 29 February advisory does not contain information on a new vulnerability, and Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”
The person added, “Ivanti, Mandiant, CISA and the other JCSA authoring organizations continue to recommend that defenders apply available patching guidance provided by Ivanti if they haven’t done so already, and run Ivanti’s updated Integrity Checker Tool (ICT), released on 27 February, to help detect known attack vectors, alongside continuous monitoring. ”
UNC5325 lisää uhkaa Ivantille
Mandiant also elaborated on how UNC5325 was carrying out attacks throughout January and February, bypassing the company’s mitigations by taking advantage of a server-side request forgery (SSRF) vulnerability in the Security Assertion Markup Language (SAML) component of its appliances. CVE-2024-21893, as it was later labeled, earned a “high” 8.2 out of 10 score on the CVSS scale, and the group was observed chaining it with Ivanti’s prior command injection vulnerability, CVE-2024-21887.
Tämän haavoittuvien laitteiden ikkunan jatkuessa ryhmä suoritti tiedusteluja kohteitaan vastaan, muutti laitteen asetuksia toimintansa salaamiseksi, käytti avoimen lähdekoodin työkaluja, kuten interactsh ja Kubo-suutin, ja otti käyttöön sarjan mukautettuja takaovia: LittleLamb. WoolTea, PitStop, Pitdog, PitJet ja PitHook.
Jotkut näistä työkaluista ja toimenpiteistä ovat olleet erityisen älykkäitä, kuten Bushwalkiin, Perl-pohjaiseen UNC5325-verkkopohjaiseen komentotulkkiin, jotka on upotettu Ivanti Secure Connectin lailliseen osaan, sisäänrakennetut stealth-mekanismit. Se löydettiin ensimmäisen kerran luonnosta vain tunteja CVE-2024-21893:n alkuperäisen paljastamisen jälkeen.
To conceal Bushwalk, the hackers place it in a folder excluded by the device’s Integrity Checker Tool (ICT), and modify a Perl module which enables them to activate or deactivate it depending on the incoming HTTP request’s user agent. This latter measure allows them to take advantage of a minor discrepancy in the ICT.
”Sisäinen ICT on oletusarvoisesti määritetty toimimaan kahden tunnin välein, ja se on tarkoitettu käytettäväksi jatkuvan valvonnan yhteydessä. Kahden tunnin tarkistusvälin välillä tehdyt ja palautetut haitalliset tiedostojärjestelmään tehdyt muutokset jäävät ICT:n havaitsematta. Kun aktivointi- ja deaktivointirutiinit suoritetaan tahdikkaasti peräkkäin, se voi minimoida ICT-havaitsemisriskin ajoittamalla aktivointirutiini täsmälleen BUSHWALK-verkkokuoren aiotun käytön kanssa", kirjoittajat selittivät.
Ivanti Updates Integrity Checker Tool
Because Chinese threat actors continue to demonstrate interest in Ivanti vulnerabilities, Mandiant is urging customers “to take immediate action to ensure protection if they haven’t done so already.”
While prior attacks were able to get past detection, Ivanti has released a new version of the ICT for its VPNs can help detect these latest persistence attempts.
“The ICT is not intended to be a magic bullet – it is one important and informative security tool in their arsenal, as a complement to other tools,” Ivanti said in its update earlier this week. “It is designed to provide a snapshot of the current state of the appliance when the scan takes place and cannot necessarily detect threat actor activity if the appliance has been returned to a clean state. Other security tools should be used to monitor for changes made between scans as well as malware and other indicators of compromise (IoCs).”
It added, “the ICT focuses specifically on known threat activity that is being deployed by threat actors in the wild. This maximizes meaningful results for customers and minimizes false positives, and has been validated by Mandiant in their blog as an effective tool. We will continue to enhance the ICT to detect known threats based on what we and our partners have seen in the wild.”
“We recommend a defense-in-depth approach by layering on other security tools, capabilities, and human resources to assist in real-time detection and response,” says Mat Lin, security consultant with Mandiant. He added that in addition to the ICT, Ivanti also provides “log forwarding capabilities that could enable organizations to detect and respond to exploitation attempts in real time when configured properly. This is why layering on continuous monitoring to the tools that Ivanti already provides is so important for their respective customers.”
- SEO-pohjainen sisällön ja PR-jakelu. Vahvista jo tänään.
- PlatoData.Network Vertical Generatiivinen Ai. Vahvista itseäsi. Pääsy tästä.
- PlatoAiStream. Web3 Intelligence. Tietoa laajennettu. Pääsy tästä.
- PlatoESG. hiili, CleanTech, energia, ympäristö, Aurinko, Jätehuolto. Pääsy tästä.
- PlatonHealth. Biotekniikan ja kliinisten kokeiden älykkyys. Pääsy tästä.
- Lähde: https://www.darkreading.com/endpoint-security/chinese-apt-exploits-defeat-patched-ivanti-users
