In a significant escalation of cyber espionage activities, two cyber espionage groups, believed to be linked to China and identified as UNC5325 and UNC3886, have been implicated in exploiting vulnerabilities in Ivanti Connect Secure VPN appliances. These sophisticated attacks have led to the deployment of a new suite of malware, underscoring the advanced capabilities of these threat actors.
The crux of this campaign revolves around the exploitation of a security flaw, CVE-2024-21893, by UNC5325. This vulnerability, a server-side request forgery (SSRF) issue in the SAML component of various Ivanti solutions, served as the entry point for delivering an array of novel malware strains including LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. The group’s intent was not only to infiltrate but also to establish a durable foothold within the compromised systems.
Mandiant, a Google-owned threat intelligence entity, has drawn connections between UNC5325 and UNC3886, noting significant overlaps in the malware’s source code. This linkage is particularly evident in the malware variants LITTLELAMB.WOOLTEA and PITHOOK, suggesting a shared toolkit or collaboration between these groups. UNC3886 is notorious for its history of exploiting zero-day vulnerabilities in prominent security solutions, targeting sectors crucial to national security and infrastructure.
The operational sophistication of these attacks is further highlighted by the combination of CVE-2024-21893 with a known command injection flaw, CVE-2024-21887. This tactical fusion enabled unauthorized access to vulnerable VPN appliances, culminating in the deployment of an updated version of the BUSHWALK malware.
In some instances, the attackers leveraged legitimate Ivanti components, such as SparkGateway plugins, as a conduit for deploying additional malicious payloads. One such plugin, PITFUEL, was used to load the LITTLELAMB.WOOLTEA malware, which is notably engineered to withstand system upgrades, patches, and even factory resets, although attempts at persistence have so far been thwarted due to encryption key mismatches.
This campaign showcases the threat actors’ deep understanding of the targeted appliances and their adeptness at evading detection, employing living-off-the-land (LotL) techniques to blend in with legitimate network activities. Mandiant anticipates that UNC5325, along with other groups with ties to China, will persist in leveraging zero-day vulnerabilities and specialized malware to infiltrate and maintain access to targeted networks.
The broader implications of these espionage activities are underscored by the activities of Volt Typhoon, another China-sponsored group. Dragos, an industrial cybersecurity firm, has linked Volt Typhoon to reconnaissance efforts targeting the U.S. critical infrastructure, signaling a clear intent to uncover vulnerabilities that could be exploited in future cyber attacks. This group’s focus on stealth and long-term access further emphasizes the strategic nature of these espionage campaigns, aiming for sustained intelligence gathering and potential disruption of critical services.
As the cyber espionage landscape continues to evolve, the activities of UNC5325, UNC3886, and Volt Typhoon serve as a stark reminder of the persistent threats facing national security and critical infrastructure. The use of sophisticated malware, exploitation of zero-day vulnerabilities, and emphasis on stealth and persistence highlight the advanced capabilities of these threat actors and the ongoing need for robust cybersecurity defenses and intelligence-led threat hunting to counteract their operations.
