A China-based espionage threat actor known as UNC5221 and other threat organizations used new malware, according to Google-owned Mandiant, during post-exploitation operations that targeted Policy Secure and Ivanti Connect Secure VPN equipment.

This features unique web shells like LIGHTWIRE, BUSHWALK, CHAINLINE, and FRAMESTING.

The business attributed it to UNC5221 and stated that it has discovered many new versions of WARPWIRE, a credential stealer based on JavaScript. “CHAINLINE is a Python web shell backdoor that is embedded in an Ivanti Connect Secure Python package that enables arbitrary command execution,” the company added.

The successful exploitation of CVE-2023-46805 and CVE-2024-21887, which let an unauthorized threat actor run arbitrary commands on the Ivanti appliance with elevated privileges, is what constitutes the infection chains.

Since early December 2023, the vulnerabilities have been exploited as zero-days. German authorities have reported that they are aware of “multiple compromised systems” (Bergen Office for Information Security, BSI).

Written in Perl, BUSHWALK is designed to read and write files to a server by evading the mitigations provided by Ivanti in highly-targeted attacks. It is integrated into a valid Connect Secure file called “querymanifest.cgi”.

However, FRAMESTING allows for arbitrary command execution. It is a Python web shell that is integrated into the Ivanti Connect Secure Python package, which can be found at “/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/”.

Through its study, Mandiant has discovered that the ZIPLINE passive backdoor uses “extensive functionality to ensure the authentication of its custom protocol used to establish command-and-control (C2).”

In addition, the assaults can be identified by the use of open-source tools such as Enum4linux, CrackMapExec, iodine, and Impacket to facilitate post-exploitation activities on Ivanti CS appliances, such as data exfiltration within victim environments, network reconnaissance, and lateral movement.

Two other security vulnerabilities, CVE-2024-21888 and CVE-2024-21893, have now been made public by Ivanti; the latter is currently being actively exploited and is intended to affect a “limited number of customers.” In order to address the four vulnerabilities, the business has also provided the initial set of fixes.

With its infrastructure and tooling overlapping with previous breaches connected to China-based espionage actors, UNC5221 is reportedly targeting a wide spectrum of companies that are strategically important to China.

“Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories,” Mandiant stated. “UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors.”