Response to Ivanti’s Recent Zero-day Vulnerability Exploitation

AttackIQ has released a new assessment template in response to the recent wave of zero-day vulnerability exploits targeting various appliances produced by software company Ivanti. This assessment template emulates the different Tactics, Techniques, and Procedures (TTPs) exhibited by the UNC5221 adversary after successful exploitation of CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection). Read More

On January 10, 2024, the software company Ivanti disclosed two vulnerabilities impacting Ivanti Connect Secure VPN, formerly Pulse Secure, and Ivanti Policy Secure appliances. Successful exploitation of these vulnerabilities could result in authentication bypass and command injection, leading to further downstream compromise of a victim network.

A day later, on January 11, researchers began to detect evidence of widespread scanning by an entity with knowledge of these vulnerabilities. They observed several file paths, which are not publicly known, being requested via logs present on Ivanti Connect Secure (CS) VPN devices.

On the same day, Ivanti customers began reporting the discovery of mismatched files present on their appliances. In turn, these organizations shared the results of the built-in integrity scan which showed no signs of previous mismatched files.

Several researchers engaged in investigating the exploitation of these zero-day vulnerabilities in the wild by an adversary nicknamed UNC5221, also known as UTA0178. This adversary leveraged multiple custom malware families, in several cases trojanizing legitimate files within the device with malicious code.

AttackIQ has released a new assessment template that emulates the different Tactics, Techniques, and Procedures (TTPs) exhibited by the UNC5221 adversary following the successful exploitation of two zero-day vulnerabilities with the aim of helping customers validate their security controls and their ability to defend against this recent threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Assess their security posture against a newly discovered threat which did not carry opportunistic attacks, but aimed to maintain its presence in a subset of high priority targets it compromised after the inevitable release of a patch.
  • Continuously validate detection and prevention pipelines against widely known behaviors linked to the exploitation of these vulnerabilities.

UNC5221 – 2024-01 – Ivanti Vulnerability Post-Compromise TTPs

This assessment template emulates the different Tactics, Techniques, and Procedures (TTPs) exhibited by UNC5221 after successful exploitation of CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection).

The template is divided into Tactics, and these group the Techniques and Implementations exhibited by UNC5221 during its activities.

1.Discovery: Techniques that adversaries use to discover information related to the compromised environment.

Network Service Discovery (T1046): This scenario uses nmap for scanning hosts that have open ports for Samba File Sharing (SMB), Remote Desktop (RDP), or Active Directory (LDAP) that would identify remotely accessible hosts to the attacker.

2. Collection: Techniques used by adversaries to collect the discovered information regarding the compromised system.

Archive Collected Data: Archive via Utility (T1560.001): This scenario compresses all the specified input files with the given compression level to a .7z archive by executing the 7zip binary file.

3. Credential Access: Techniques used by adversaries to harvest credentials available on the compromised system.

OS Credential Dumping: LSASS Memory (T1003.001): Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk. This process contains a variety of credential materials and can be passed to additional dumping tools to extract credentials.

4. Lateral Movement: Consists of the techniques adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it.

Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.

Remote Services: SSH (T1021.004): This scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.

5. Command and Control: Techniques that adversaries may use to communicate with systems under their control within a victim network.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Internet Connection Discovery (T1016.001): This scenario validates if the system is capable of accessing the internet by using the native curl utility to make a request to a legitimate 3rd party site that reports the external IP address used to access the domain.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following scenarios to extend the emulation of the capabilities exhibited by UNC5221. These scenarios can be selected within the scenario library and executed in the corresponding environments.

  1. Dump Active Directory Database using ntdsutil.exe (003): This scenario will attempt to execute the ntdsutil.exe utility to dump the NTDS.dit file along with the SYSTEM and SECURITY registry hives. This scenario must be run on a Domain Controller (DC).
  2. PCAP Replay – SMB Password Spraying: This scenario will simulate an SMB password spraying attack against an SMB server on port 445/TCP. A password spraying attack is a type of brute force attack where a malicious adversary attempts to brute force logins based on a list of usernames with a default or predictable password.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review Ivanti’s Patching and Detection Recommendations:

Ivanti has provided a number of recommendations for defending yourself from the exploitation of this widely known vulnerabilities. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. OS Credential Dumping: LSASS Memory (T1003.001):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

2a. Detection

Search for executions of comsvcs that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

3a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the activities associated with this threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.