SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Advanced Persistent Threat Protection
#
CIOs
#
Ivanti
Mandiant uncovers new findings on Ivanti zero-day exploits
Fri, 2nd Feb 2024
Author image
By Sean Mitchell, Publisher
Follow us

Researchers at Mandiant have published recommendations for the two zero-day exploits in Ivanti's security products following extensive investigations. Ivanti issued the first set of patches, with more scheduled over the coming weeks to address these vulnerabilities.

Since their initial review of these exploits, Mandiant's research team has noted broad exploitation activity, both by the original threat actor, dubbed UNC5221 and by various other hitherto uncategorized threat groups. Mandiant now regards UNC5221 as a suspected espionage threat actor with a possible link to China. Notably, the team observed a mitigation bypass technique used in the field, resulting in the deployment of a custom web shell known as BUSHWALK, which provides the attacker with read or write access to files on a server.

Mandiant's research highlights that a significant amount of the post-advisory threat activity appears to have been executed through automated tactics by these threat actors. In the course of their analysis, the team identified new malware families and fresh variants deployed by UNC5221 and, occasionally, different threat actors.

Among these identified malware is CHAINLINE, a custom backdoor, and FRAMESTING, a web shell embedded in an Ivanti Connect Secure Python package that facilitates arbitrary command execution. The aforementioned web shell, BUSHWALK, was another discovery. Each of these malicious tools empowers an attacker with privileges to manipulate server files.

Details have also surfaced about post-exploitation activity unveiled through Mandiant's incident response engagements, which includes the removal of sensitive data from systems that were compromised. Researchers even uncovered a new tactic in which Ivanti's internal integrity checking tool (ICT) – used to identify unauthorised file system changes – was manipulated by threat actors. This strategy varied from the approach highlighted by Volexity in its blog on January 18, 2024.

As threat actors employ increasingly sophisticated methods and tools to exploit vulnerabilities, pioneering research and mitigation techniques are essential. The findings from Mandiant's investigation into the Ivanti zero-day exploitation will undoubtedly prove fundamental to informing the development of future patches and prevention mechanisms.

Related stories
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
AI tools linked to data exposure in 1 in 5 UK organisations
KnowBe4 to acquire Egress for enhanced AI-driven cybersecurity
Mandiant unveils latest M-Trends 2024 cybersecurity report
Australian organisations face surge in ransomware attacks
Top stories
Australian businesses fast-track Microsoft cloud adoption amid cyber threats
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity