New details have emerged surrounding two zero-day vulnerabilities impacting Ivanti Connect Secure VPN (formerly known as Pulse Secure) and Ivanti Policy Security appliances. These vulnerabilities have been published by cybersecurity firm Mandiant. The reported vulnerabilities have seen active exploitation in the wild, beginning as early as December 2023.

Threat actor UNC5221, a suspected espionage group currently being monitored by Mandiant, is believed to be behind the exploitation of these vulnerabilities. As highlighted by Mandiant Consulting CTO Charles Carmakal, these CVEs, when chained together, result in unauthenticated remote code execution.

UNC5221 reportedly employed multiple custom malware families to conduct post-exploitation espionage activity after successfully exploiting the zero-day vulnerabilities. This includes establishing footholds for continued access to the Connect Secure (CS) appliances.

According to Mandiant's researchers, the group's preparation for maintaining persistent access to the CS appliances suggests that these are not just opportunistic attacks. It would seem UNC5221 planned to maintain its presence on a subset of high-priority targets compromised after an eventual patch release.

Mandiant's researchers added that, similar to UNC5221, they had previously noted multiple suspected APT actors resorting to appliance-specific malware to facilitate post-exploitation and evade detection. These cases, coupled with findings related to targeting, have led Mandiant to believe that this could be an espionage-motivated APT campaign.

While Mandiant continues to investigate these attacks in detail, early findings also note that UNC5221 primarily utilised compromised, out-of-support Cyberoam VPN appliances for its command and control. The compromised devices were domestic to the victims, likely further aiding the threat actor in evading detection.

Patches are currently being developed, with Ivanti customers advised to stay updated on release timelines. At present, Mandiant has not linked this activity to a previously known group. It also doesn't currently have enough data to ascertain the origin of UNC5221.

The custom malware families used by UNC5221 include ZIPLINE, a stealthy passive backdoor; THINSPOOL, a tool for persistence and detection evasion; LIGHTWIRE, for arbitrary command execution; WIREFIRE, a Python-based web shell; and WARPWIRE, a credential harvester embedded into a legitimate Connect Secure file. UNC5221 even trojanized legitimate files within Ivanti Connect Secure VPN with malicious code, a clear sign of their sophisticated tactics.

Mandiant is a cybersecurity company known for its expertise in threat intelligence, incident response, and cybersecurity consulting. Acquired by FireEye, Mandiant plays a crucial role in investigating and responding to advanced cyber threats, helping organisations enhance their security posture and mitigate cyber risks.

Mandiant is also involved in proactive threat hunting, actively searching for signs of advanced threats within an organisation's network to identify and eliminate potential risks before they escalate. Moreover, Mandiant offers training programs to educate organisations and their employees about cybersecurity best practices, helping to create a security-aware culture.