Chinese Hackers Breach Ivanti Software, Target VPN Users

Two Chinese hacking factions, known as UNC5325 and UNC3886, breached the security systems of software developed by Ivanti, which is deployed for safeguarding Virtual Private Networks (VPN). Mandiant experts discovered that UNC5325 exploited a vulnerability identified as CVE-2024-21893 in Ivanti’s products to gain access to systems and install malicious software.

CVE-2024-21893, a Server-Side Request Forgery (SSRF) flaw, exists within the SAML component of Ivanti’s Connect Secure, Policy Secure, and Neurons for ZTA products. During their incursions, the attackers targeted a limited number of devices.

Lorenz Group

To infiltrate company networks, the hackers amalgamated this vulnerability with another (CVE-2024-21887), thereby stealthily circumventing protective mechanisms. Subsequently, legitimate components were utilized to download malware that enabled remote management of compromised computers, data theft, and traffic tunneling.

The UNC3886 group had previously employed similar tactics, exploiting zero-day vulnerabilities in Fortinet and VMware software to attack organizations in the United States and the Asia-Pacific region.

Mandiant’s analysis revealed that UNC5325 exhibits profound knowledge of Ivanti’s offerings and adeptly conceals its activities. The malefactors actively employ a “live off the land” tactic (LotL or LOTL), embedding malicious modules within legitimate tools.

The hackers attempted to establish a foothold within the breached networks, but these efforts were thwarted due to flaws in the malicious software’s code.

The malignant plugin PITFUEL was used to download the program LITTLELAMB.WOOLTEA, which can maintain its presence in the system through updates, patches, and factory resets.

However, LITTLELAMB.WOOLTEA lacked the logic to handle encryption key mismatches. Another plugin, PITDOG, is used for injecting the PITHOOK program, which is also designed for persistent presence.

Companies are advised to regularly update their network software and employ robust security measures to timely detect suspicious activities, including those associated with the groups UNC5325 and UNC3886.