China-linked cyber espionage clusters UNC5325 and UNC3886 have been identified as exploiting vulnerabilities in Ivanti Connect Secure VPN appliances, according to findings by Mandiant. UNC5325 utilized CVE-2024-21893 to deliver a range of new malware, including LITTLELAMB.WOOLTEA, PITSTOP, and others, aiming to maintain persistent access to compromised devices. Mandiant suggests a connection between UNC5325 and UNC3886 due to source code overlaps in their malware.
UNC3886, known for targeting defense, technology, and telecommunication organizations in the US and Asia-Pacific regions, has a history of leveraging zero-day flaws in Fortinet and VMware solutions to deploy implants such as VIRTUALPITA and THINCRUST. The exploitation of CVE-2024-21893, a server-side request forgery vulnerability in Ivanti Connect Secure, has been observed as early as January 19, 2024, targeting a limited number of devices.
The attack chain involves combining CVE-2024-21893 with a previously disclosed command injection vulnerability (CVE-2024-21887) to gain unauthorized access to vulnerable appliances, leading to the deployment of a new version of the BUSHWALK malware. Additionally, malicious SparkGateway plugins, like PITFUEL, have been misused to drop additional payloads such as LITTLELAMB.WOOLTEA, which persists across system upgrades and resets.
Reference:
