Ivanti VPN Hack: Nation-State Actors Weaponizing Ivanti VPN Zero-Days

Since early December 2023, malicious groups have been exploiting Ivanti Connect Secure (ICS) VPN. The threat actors behind Ivanti VPN hack are suspected to be Nation-State Actors. Reportedly hackers are exploiting two zero-day vulnerabilities in Ivanti VPN appliances to launch up to five different malware families and weaponize Ivanti VPN Zero-Day vulnaribility.

Nation-State Actors Weaponizing Ivanti VPN Zero-Day Vulnaribity By Deploying Five Malware Families

This week, the Mandiant published their research analysis stating that the five malware families work together and enable hackers to by security authentication, providing backdoor access. In simple words, by exploiting two zero-day vulnerability, hackers have deployed malware that allowed hackers to access devices that use Ivanti Connect Secure (ICS) VPN.

By now, Ivanti VPN hack appears to be quite selectively targeted as less than 10 organizations that use Ivanti VPNs were affected by the attack. This indicates that hackers have listed out these specific organizations. Well, it’s quite threatening to think hackers can exploit the VPN, which is actually supposed to minimize the chances of malware attacks and hacks.

Ivanti VPN Hack: Nation-State Actors Weaponize Ivanti VPN Zero-Days

How Ivanti VPN Hack Works:

Hackers found two zero-day vulnerabilities in Ivanti VPN appliances: CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (code injection). Using these vulnerabilities hackers get inside the Ivanti VPN without even login authentication and then drop malicious codes in the device.

Once inside, hackers use five different malware. Each malware serves its own purpose. Together they achieve an end goal allowing hackers to sneak into the Ivanti VPN ultimately compromising the device on which the VPN is active. What makes the hack so unique is that it will hackers to not only access target devices but also steal confidential information and potentially weaponize Ivanti VPN Zero-Days vulnaribilies.

Apart from the custom malware families, hackers use legitimate tools such as PySoxy¬†and BusyBox. Let’s break Ivanti VPN hack down to each malware and its role as well as its contribution to Ivanti VPN hack:

1. Web Shells:

  • LIGHTWIRE: It is a kind of lightweight backdoor written in Perl CGI. LIGHTWIRE provides remote access to the attackers’ allowing them to take complete control of compromised devices.
  • WIREFIRE: It is a Python-based web shell that acts as a secondary access backdoor for hackers allowing them to perform malicious activities.

2. Credential Stealer:

  • WARPWIRE: After gaining access, hackers use WARPWIRE. It is a custom JavaScript malware. This malware is designed to steal login credentials stored in the compromised PC. So hackers can steal all login and password saved inside the devices that uses Ivanti Connect Secure (ICS) VPN.

3. Multipurpose Backdoor:

  • ZIPLINE: Being the multipurpose backdoor, ZIPLINE is used to perform different malicious activities inside compromised devices including downloading severe malware, establishing direct communication with devices, generating a custom proxy server, and creating a way for data transfer.

4. Filesystem Remounter:

  • It helps the hackers in bypassing read-only restrictions used by the filesystem on VPN devices. This Perl script is used to install malware in compromised devices.

5. Shell Script Dropper:

  • THINSPOOL: A shell script (THINSPOOL) is used as a delivery mechanism for LIGHTWIRE. It actually drops the web shell onto the compromised device.

Who is Behind This Hack?

The Nation-State Actors behind this hack are suspected to be Chinese. Well, the UTA0178 cybercrime group which is involved in espionage actors has most likely caused Ivanti VPN Hack. However, there is no definite proof found legitimating this claim.

Although the hacking group UNC5221 has not yet been connected to any previously identified organization or nation, however, it does exhibit certain characteristics of an advanced persistent threat (APT). It uses compromised command-and-control (C2) infrastructure and perhaps weaponizes zero-day vulnerabilities to target edge infrastructure.


About the author


Leave a Comment