Chinese hackers exploit Ivanti VPN flaws to deploy new malware

Ivanti VPN Flaws

At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 And UNC3886are attributed to the exploitation of security flaws in Ivanti Connect Secure VPN devices.

UNC5325 exploited CVE-2024-21893 to deliver a wide range of new malware, called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, and to maintain persistent access to compromised devices, Mandiant said.

Google’s threat intelligence firm determined with moderate confidence that UNC5325 is associated with UNC3886 due to source code overlap in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter.

It’s worth pointing out that UNC3886 has a track record of exploiting zero-day errors in Fortinet and VMware solutions to deploy a variety of implants such as VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP.

“UNC3886 primarily targets the US defense, technology and telecommunications industrial organizations and… [Asia-Pacific] regions,” Mandiant researchers said.

The active exploitation of CVE-2024-21893 – a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA – by UNC5325 is said to have taken place as early as January. August 19, 2024, targeting a limited number of devices.


The attack chain involves combining CVE-2024-21893 with a previously disclosed command injection vulnerability, tracked as CVE-2024-21887, to gain unauthorized access to sensitive devices, ultimately leading to the deployment of a new version of BUSHWALK .

In some cases, legitimate Ivanti components, such as SparkGateway plugins, have also been exploited to remove additional payloads. This includes the PITFUEL plugin to load a malicious shared object codenamed LITTLELAMB.WOOLTEA, which comes with capabilities to persist on system upgrade events, patches, and factory resets.

It further acts as a backdoor that supports command execution, file management, shell creation, SOCKS proxy, and network traffic tunneling.

Also observed is another malicious SparkGateway plugin called PITDOG which injects a shared object known as PITHOOK to continuously execute an implant called PITSTOP which is designed for executing shell commands, writing files and reading files on the compromised device.

Ivanti VPN errors

Mandiant described the threat actor as having demonstrated a “nuanced understanding of the device and their ability to subvert detection during this campaign” and who used living-off-the-land (LotL) techniques to fly under the radar to fly.

The cybersecurity firm said it expects “UNC5325 and other Chinese espionage actors will continue to leverage zero-day vulnerabilities on network edge devices and device-specific malware to gain and maintain access to target environments.”

The revelation comes from the industrial cybersecurity company Dragos attributed The Chinese-sponsored Volt Typhoon (also known as Voltzite) for reconnaissance and enumeration activities targeting multiple US-based electric utilities, emergency services, telecommunications providers, defense industrial bases and satellite services.


“Voltzite’s actions against U.S. electric utilities, telecommunications and GIS systems represent clear objectives to identify vulnerabilities within the nation’s critical infrastructure that could be exploited in the future with destructive or disruptive cyberattacks,” the report said.

Volt Typhoon’s victim role has since expanded to include African electricity transmission and distribution providers, with evidence linking the adversary to UTA0178, a threat activity group linked to the zero-day exploitation of Ivanti Connect Secure flaws in early December 2023.

Ivanti VPN errors

The cyber espionage player, who relies heavily on LotL methods to evade detection, joins two other new groups, namely Gananite and Laurionite, which came to light in 2023, conducted long-term intellectual property reconnaissance and theft operations targeting critical infrastructure and government agencies.

“Voltzite uses very minimal tools and prefers to conduct their operations with as little footprint as possible,” explains Dragos. “Voltzite focuses heavily on evading detection and long-term access with the calculated intent of long-term espionage and data exfiltration.”

#Chinese #hackers #exploit #Ivanti #VPN #flaws #deploy #malware

Notify of
Inline Feedbacks
View all comments
Previous Post

New backdoor targeting European officials linked to Indian diplomatic events

Next Post
BlackCat Ransomware Attacks

FBI warns US healthcare sector against targeted BlackCat ransomware attacks

Related Posts