Mandiant Uncovers “UNC5221”: Stealthy Hackers Bypass VPN Defenses with Malware Arsenal

At least five different types of malware have been employed by suspected state-sponsored hackers to gain access to company networks through Zero-Day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices. These attacks have been occurring since the beginning of December 2023.

According to Mandiant, the group UNC5221 used these malware programs to bypass authentication systems and covertly access devices. To exploit vulnerable devices, hackers utilized an exploit chain that included an authentication bypass vulnerability (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887), discovered in Ivanti Connect Secure and Policy Secure products.

Volexity, attributing this activity to the Chinese espionage group UTA0178, previously explained that the vulnerabilities allow for initial access, web shell installation, backdoor embedding in legitimate files, credential and configuration file gathering, and deeper penetration into victims’ internal networks.

Ivanti stated that less than ten clients were affected by the attack, suggesting the campaign’s targeted nature. Patches for the two vulnerabilities (informally named ConnectAround by security researcher Kevin Beaumont) are expected to be released next week.

Mandiant’s analysis revealed that the attackers used five different malware programs. They also embedded malicious code into legitimate ICS system files and employed tools such as BusyBox (a suite of UNIX command-line utilities) and PySoxy (a SOCKS5 proxy server).

Experts note that due to the peculiarities of the file systems of some devices, hackers utilized a Perl script to modify access rights and deploy malware. The primary tools for maintaining access to compromised systems were the web shells LIGHTWIRE and WIREFIRE. Additionally, the JavaScript-based malware WARPWIRE was used for credential gathering, and the ZIPLINE backdoor, capable of uploading/downloading files, establishing Reverse Shell, creating proxy servers, and setting up network tunneling to distribute traffic among multiple endpoints.

While UNC5221 is not yet linked to any known groups, the group’s methods indicate an advanced persistent threat. The use of Zero-Day vulnerabilities and covert infrastructure is characteristic of state-sponsored hackers. UNC5221’s activity demonstrates that network perimeter attacks remain an attractive target for espionage groups.