A newly found vulnerability in Ivanti Connect Secure VPNs has been actively exploited by an APT hacker group, identified by Google’s Mandiant cybersecurity team. These flaws are especially problematic because they are zero-days, which means the software vendor is unaware of them at the time of exploitation, rendering immediate patches unfeasible.
Escalation of VPN Exploits
Such vulnerabilities are increasingly attractive to cybercriminals as more people depend on VPNs for secure online communication. The APT group’s exploitation activities include command injection and authentication bypass, which could lead to total network control.
Identified Zero-Day Exploits
The specific vulnerabilities identified by Ivanti’s security team include CVE-2023-46805, which allows for authentication bypass, and CVE-2024-21887, which permits command injection. The exploitation began in December 2023, and Ivanti has been working closely with Mandiant to address these issues and provide security measures.
Post-exploitation, the attackers deployed custom malware and tools such as PySoxy and BusyBox. They also used a Perl script and a shell script dropper called THINSPOOL to maintain persistence and evade detection. This script allowed them to remount read-only sections of the system and insert the LIGHTWIRE web shell into a legitimate Connect Secure file.
LIGHTWIRE, along with another tool called WIREFIRE, provides the attackers with a persistent and lightweight foothold within the compromised VPN appliances, underscoring their intent for sustained access and espionage.
Mandiant’s Assessment and Recommendations
Although Mandiant’s analysts could not ascertain the origin of the threat actors due to limited data, the use of zero-day vulnerabilities to target edge infrastructure is not unprecedented. The group’s approach is characteristic of espionage efforts, as they focus on residing at the network perimeter, exploiting zero-days, commandeering devices, and remaining undetected. Cybersecurity experts strongly advise the immediate application of available security patches to counteract such threats.
