Recent investigations have uncovered two distinct cyber espionage groups allegedly linked to China: UNC5325 and UNC3886, both exploiting vulnerabilities in Ivanti Connect Secure VPN appliances. UNC5325 is reported to have utilized the critical vulnerability tracked as CVE-2024-21893, distributing various malware strains, including LITTLELAMB.WOOLTEA and PITDOG, among others. According to Mandiant, this group appears intent on establishing persistent access to compromised systems.
Investigations have revealed overlapping source code between the malware utilized by UNC5325 and that of UNC3886, suggesting a possible connection between the two groups. UNC3886 has been active in exploiting zero-day vulnerabilities, specifically targeting organizations within the defense industrial base, technology sectors, and telecommunications, primarily in the U.S. and Asia-Pacific regions.
The exploitation of CVE-2024-21893—identified as a server-side request forgery (SSRF) vulnerability—began as early as January 19, 2024. This vulnerability affects several Ivanti products, including Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access, with initial targeting being limited to specific devices. The attack chain often incorporates a secondary command injection vulnerability, designated CVE-2024-21887, which enables unauthorized access to vulnerable devices and leads to the deployment of enhanced versions of malware like BUSHWALK.
Mandiant’s analysis highlights the use of legitimate Ivanti components to facilitate malicious activity. For instance, the PITFUEL plugin has been found to load the malicious LITTLELAMB.WOOLTEA, a component designed to endure system updates, patches, and factory resets. Despite the limited success of these persistence attempts so far—primarily attributed to rudimentary coding errors—the group’s determination to secure ongoing access to their targets is evident.
Another observed plug-in, PITDOG, has been reported for its capability to persistently run an implant known as PITSTOP. This implant allows attackers to perform operations like command execution, file management, and maintain a foothold in the compromised network environments. Mandiant underscores the group’s profound understanding of the Ivanti devices, utilizing focused subversion techniques to evade detection throughout their operations.
The continued onslaught on these vulnerabilities poses significant risks, not only highlighting a more extensive trend wherein UNC5325 and analogous actors leverage zero-day vulnerabilities on network devices but also illustrating the necessity for robust security measures, including timely software updates and patches.
This situation has been compounded by recent insights connecting the Volt Typhoon cyber actor with exploitative activities against U.S. critical systems, emphasizing the persistent threat posed by state-sponsored actors. As confirmed by cybersecurity firm Dragos, the Volt Typhoon group appears to target vital infrastructures, including electric companies, telecommunications industries, and defense networks.
The overlapping activities of these threat groups, alongside their persistent evasion tactics, continue to underscore the necessity for businesses to remain vigilant to the ever-evolving landscape of cybersecurity threats.
With the cybersecurity landscape continually shifting and threats evolving in sophistication, it remains critical for enterprises to adopt a proactive approach to safeguarding their networks against such advanced persistent threats. As the MITRE ATT&CK framework illustrates, actors typically engage in tactics like initial access through exploitation of vulnerabilities, persistence to maintain control over compromised systems, and various privilege escalation techniques to enhance their operational capabilities. The implications for U.S. organizations are profound, necessitating immediate attention to ensure resilience against these potential threats.
