Mandiant uncovers new findings on Ivanti zero-day exploits
Researchers at Mandiant have published recommendations for the two zero-day exploits in Ivanti's security products following extensive investigations. Ivanti issued the first set of patches, with more scheduled over the coming weeks to address these vulnerabilities.
Since their initial review of these exploits, Mandiant's research team has noted broad exploitation activity, both by the original threat actor, dubbed UNC5221 and by various other hitherto uncategorized threat groups. Mandiant now regards UNC5221 as a suspected espionage threat actor with a possible link to China. Notably, the team observed a mitigation bypass technique used in the field, resulting in the deployment of a custom web shell known as BUSHWALK, which provides the attacker with read or write access to files on a server.
Mandiant's research highlights that a significant amount of the post-advisory threat activity appears to have been executed through automated tactics by these threat actors. In the course of their analysis, the team identified new malware families and fresh variants deployed by UNC5221 and, occasionally, different threat actors.
Among these identified malware is CHAINLINE, a custom backdoor, and FRAMESTING, a web shell embedded in an Ivanti Connect Secure Python package that facilitates arbitrary command execution. The aforementioned web shell, BUSHWALK, was another discovery. Each of these malicious tools empowers an attacker with privileges to manipulate server files.
Details have also surfaced about post-exploitation activity unveiled through Mandiant's incident response engagements, which includes the removal of sensitive data from systems that were compromised. Researchers even uncovered a new tactic in which Ivanti's internal integrity checking tool (ICT) – used to identify unauthorised file system changes – was manipulated by threat actors. This strategy varied from the approach highlighted by Volexity in its blog on January 18, 2024.
As threat actors employ increasingly sophisticated methods and tools to exploit vulnerabilities, pioneering research and mitigation techniques are essential. The findings from Mandiant's investigation into the Ivanti zero-day exploitation will undoubtedly prove fundamental to informing the development of future patches and prevention mechanisms.