Chinese Cyber Espionage Clusters Exploit Ivanti VPN Vulnerabilities to Deploy New Malware

February 29, 2024

Two Chinese cyber espionage clusters, known as UNC5325 and UNC3886, have been exploiting security vulnerabilities in Ivanti Connect Secure VPN appliances. UNC5325 has been using a flaw, identified as CVE-2024-21893, to deploy a range of new malware types including LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. This has allowed them to maintain persistent access to compromised systems. According to Mandiant, a Google-owned threat intelligence firm, there is moderate confidence that UNC5325 is associated with UNC3886 due to overlaps in the source code of LITTLELAMB.WOOLTEA and PITHOOK malware used by both groups.

UNC3886 has a history of leveraging zero-day vulnerabilities, specifically in Fortinet and VMware solutions, to deploy a variety of implants such as VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP. The group has primarily targeted organizations in the defense, technology, and telecommunications sectors located in the U.S. and Asia-Pacific regions.

The exploitation of CVE-2024-21893 by UNC5325 began as early as January 19, 2024, affecting a limited number of devices. The group combined this vulnerability with a previously disclosed command injection vulnerability, CVE-2024-21887, to gain unauthorized access to susceptible appliances. This led to the deployment of a new version of malware known as BUSHWALK. In some cases, legitimate Ivanti components, such as SparkGateway plugins, were misused to drop additional payloads.

The malware LITTLELAMB.WOOLTEA, loaded by the PITFUEL plugin, has the ability to persist across system upgrade events, patches, and factory resets. It acts as a backdoor that supports command execution, file management, shell creation, SOCKS proxy, and network traffic tunneling. Another malicious SparkGateway plugin, PITDOG, injects a shared object known as PITHOOK to persistently execute an implant referred to as PITSTOP. This implant is designed for shell command execution, file write, and file read on the compromised appliance.

Mandiant noted the threat actor's nuanced understanding of the appliance and their ability to evade detection throughout the campaign. The cybersecurity firm expects UNC5325 and other China-nexus espionage actors to continue leveraging zero-day vulnerabilities on network edge devices and appliance-specific malware to gain and maintain access to target environments.

In related news, industrial cybersecurity company Dragos attributed China-sponsored Volt Typhoon (aka Voltzite) to reconnaissance and enumeration activities targeting multiple U.S.-based electric companies, emergency services, telecommunication providers, defense industrial bases, and satellite services. Volt Typhoon's activities signify clear objectives to identify vulnerabilities within the country's critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks. The group's victimology footprint has expanded to include African electric transmission and distribution providers, with evidence linking the adversary to UTA0178, a threat activity group associated with the exploitation of Ivanti Connect Secure flaws in early December 2023.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.