Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan
April 4, 2024
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
| Notes |
|---|
| KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US |
| CVE-2023-46805 https://nvd.nist.gov/vuln/detail/CVE-2023-46805 |
| CVE-2024-21887 https://nvd.nist.gov/vuln/detail/CVE-2024-21887 |
| https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence |
| 0-day |
| CVE-2024-21893 |
| CVE-2024-21887 |
| espionage |
| UNC5325 |
| Mandiant |
| China-nexus |
| Ivanti |
| Ivanti Connect Secure |
| post-exploitation |
| lateral movement |
| open-source tooling |
| https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure |
| persistence |
| TTPs |
| Remediation + Hardening Guide Ivanti Connect Secure (CS) CVE-2023-46805 / CVE-2024-21887 / CVE-2024-21888 / CVE-2024-21893 / CVE-2024-22024 https://services.google.com/fh/files/misc/ivanti-connect-secure-remediation-hardening.pdf |
| defense in depth |
| clusters of activity |
| ecrime |
| coinminer |
| UNC5291 – Citrix Netscaler ADC in December 2023, probed Ivanti Connect Secure appliances in mid-January 2024 |
| Volt Typhoon |
| UNC5221 – suspected China-nexus. only group exploiting CVE-2023-46805 and CVE-2024-21887 during the pre-disclosure time frame |
| https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-zero-day-exploitation |
| UNC5221 – conducted widespread exploitation of CVE-2023-46805 and CVE-2024-21887 following the public disclosure on Jan. 10, 2024 |
| UNC5266 – used Bishop Fox Sliver implant, TERRIBLETEA, WARPWIRE |
| UNC5266 overlaps with UNC3569 – exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator for initial access |
| UNC5330 observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances |
| PHANTOMNET and TONERJAM post-exploitation |
| Windows Management Instrumentation (WMI) for reconnaissance, lateral movement, registry manipulation, and persistence. |
| GOST proxy |
| Fast Reverse Proxy (FRP) |
| SSH key reuse attribution |
| UNC5337 – CVE-2023-46805 CVE-2024-21887 |
| SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility |
| UNC5337 might be UNC5221 |
| UNC5291 might be UNC3236 (Volt Typhoon) |
| academic, energy, defense, and health sectors |
| Cybersecurity and Infrastructure Security Agency (CISA) |
| https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a |
| CrackMapExec |
| SPAWNANT is an installer that leverages a coreboot installer function to establish persistence for the SPAWNMOLE tunneler and SPAWNSNAIL backdoor |
| hijacks a legitimate dspkginstall installer process and exports an sprintf function adding a malicious code to it before redirecting a flow back to vsnprintf |
| SPAWNMOLE is a tunneler that injects into the web process |
| SPAWNSNAIL (libdsmeeting.so) is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). |
| creates a backdoor by exposing a limited SSH server on localhost port 8300 |
| SPAWNSNAIL’s second purpose is to inject SPAWNSLOTH (.liblogblock.so) into dslogserver, a process supporting event logging on Connect Secure. |
| drops a hard-coded SSH host private key to tmp.dskey, configures libssh to use the key, and then deletes tmp.dskey |
| SSH server requires public key authentication |
| The second thread injects a log tampering utility, SPAWNSLOTH (tmp.liblogblock.so), into the dslogserver process |
| SPAWNSLOTH is a log tampering utility injected into the dslogserver process |
| It can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating |
| https://github.com/kubo/funchook |
| SPAWNSLOTH uses funchook to hook the _ZN5DSLog4File3addEPKci |
| also modifies the g_do_syslog_servers_exist_p symbol. This is a pointer to a global variable controlling if event logs should be forwarded to an external syslog server. |
| web shell |
| ROOTROT is a web shell written in Perl embedded into a legitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting CVE-2023-46805 and CVE-2024-21887 |
| CVE-2019-11539 https://nvd.nist.gov/vuln/detail/CVE-2019-11539 |
| CVE-2020-8218 https://nvd.nist.gov/vuln/detail/CVE-2020-8218 |
| Lateral Movement Leading to vCenter Compromise |
| UNC5221 first moved laterally using the vCenter web console, then later using SSH |
| After moving laterally to the vCenter server, UNC5221 created new virtual machines in vCenter |
| UNC5221 accessed the vCenter appliance using SSH and downloaded the BRICKSTORM backdoor to the appliance (/home/vsphere-ui/vcli) |
| BRICKSTORM appears to masquerade as a legitimate vCenter process, vami-http |
| BRICKSTORM is a Go backdoor targeting VMware vCenter servers |
| SOCKS |
| BRICKSTORM communicates over WebSockets to a hard-coded C2. |
| BRICKSTORM checks for an environment variable, WRITE_LOG, to determine if the file needs to be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample from /home/vsphere-ui/vcli to /opt/vmware/sbin as vami-httpd |
| If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes /opt/vmware/sbin/vami-httpd, and continues execution. |
| hard-coded WebSocket address wss://opra1.oprawh.workers[.]dev. |
| DNS over HTTPS (DoH) |
| – BRICKSTORM uses hard-coded DoH addresses |
| BRICKSTORM appears to leverage a custom Go package called wssoft. There is no known, publicly available Go package with this name. |
| https://github.com/gorilla/mux |
| https://github.com/lonng/nex |
| – BRICKSTORM API endpoints |
| UNC5330 gained initial access to the victim environment by chaining together CVE-2024-21893 and CVE-2024-21887 |
| after gaining access, UNC5330 leveraged an LDAP bind account configured on the compromised Ivanti Connect Secure appliance to abuse a vulnerable Windows Certificate Template, created a computer object, and requested a certificate for a domain administrator |
| DCSync |
| UNC5330 used the ldap-ivanti account, configured on the Ivanti appliance for LDAP bind operations, to create a domain computer object, testComputer$. UNC5330 used the newly created testComputer$ computer object to request a certificate from a vulnerable certificate template that provided enrollment rights to Domain Computers |
| UNC5330 requested a certificate for a domain administrator account, obtained a Kerberos TGT using the certificate, and performed DCSync attacks to obtain additional domain credentials |
| Once domain admin access was achieved, UNC5330 leveraged WMI to deploy the TONERJAM launcher and the PHANTOMNET backdoor |
| WMI Event Consumers |
| scheduled task |
| ActiveScript event consumers |
| The behavior, as well as the naming convention used for both the WMI artifacts and output files, is consistent with a recent version of CrackMapExec that implements DCE/RPC for WMI execution that does not rely on SMB |
| TONERJAM is a launcher that decrypts and executes a shellcode payload |
| TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution. |
| PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP |
| PHANTOMNET is capable of loading plugins |
| UNC5266 retrieved copies of Sliver from a Python SimpleHTTP server hosted on the same IP address as the configured command-and-control server |
| UNC5266 modified a systemd service file to register one of the copies of Sliver as a persistent daemon |
| – paths: /home/bin/netmon, /home/bin/logd, /home/runtime/logd |
| systemd service unit file: /home/config/logd.spec.cfg |
| UNC5266 leveraged a WARPWIRE variant previously reported in https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation |
| downloaded by UNC5266 from what Mandiant believes to be a compromised web server located in Rwanda |
| TERRIBLETEA |
| UNC5266 deployed a Go backdoor that Mandiant has named TERRIBLETEA |
| used curl to download malware |
| uses XXTEA for encrypted communications |
| Seven minutes after their last failed curl attempt, UNC5266 ran a wget request to an anonymous file sharing site: pan.xj[.]hk |
| UNC5266 likely uploaded TERRIBLETEA to the file-sharing site in the intervening seven minutes |
| built using multiple open-source Go modules |
| command execution |
| keylogging |
| SOCKS5 proxy |
| port scanning |
| filesystem access |
| screen captures |
| ssh to another server and execute commands |
| darwin_amd64 linux_amd64 |
| persists with a Bash profile script located at /etc/profile.d/cron.sh |
| https://cloud.google.com/blog/topics/threat-intelligence/chinese-espionage-tactics |
| – list of IoCs |
| – YARA rules |