Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities

A new malware linked to a China-based threat group, UNC-5221, has been detected by Mandiant, targeting Ivanti Connect Secure VPN and Policy Secure devices. This malware, including web shells like BUSHWALK and CHAINLINE, exploits vulnerabilities CVE-2023-46805 and CVE-2024-218867, allowing arbitrary command execution. Additionally, Mandiant found new versions of WARPWIRE, a JavaScript credential stealer, in use. Germany’s Federal Office for Information Security (BSI) has reported multiple compromised systems in the country. Ivanti has acknowledged the situation and disclosed two additional security flaws, CVE-2024-21888 and CVE-2024-21893, with the latter actively exploited by a limited number of attackers.

Security Officer Comments:
UNC5221, the threat actor behind these attacks, has been observed targeting a wide range of industries considered strategically important to China. Mandiant’s analysis suggest that UNC5221 leverages TTPs associated with zero day exploitation, with infrastructure and tools overlapping with previous intrusions linked to Chinese espionage actors. Ivanti has responded by releasing the first round of fixes to address the vulnerabilities. However, the situation underscores the ongoing threat posed by sophisticated threat actors targeting critical infrastructure and underscores the importance of timely patching and proactive security measures.

Suggested Corrections:
Mandiant has provided additional recommendations for network defenders, including indicators of compromise (IOCs), YARA rules, and a hardening guide: