Malicious USB Drives Targetinging Global Targets with SOGU and SNOWYDRIVE Malware
Cyber attacks using infected USB infection drives as an initial access vector have witnessed a three-fold increase in the first half of 2023,
That’s according to new findings from Mandiant, which detailed two such campaigns – SOGU and SNOWYDRIVE – targeting both public and private sector entities across the world.
SOGU is the "most prevalent USB-based cyber espionage attack using USB flash Read More
The Hacker News | #1 Trusted Cybersecurity News Site
A Single Iranian Hacker Group Targeted Both Presidential Campaigns, Google Says
APT42, which is believed to work for Iran’s Revolutionary Guard Corps, targeted about a dozen people associated with both Trump’s and Biden’s campaigns this spring, according to Google’s Threat Analysis Group. Read More
N2K CyberWire Network Launches Cyber Talent Insights Special Series Podcast
N2K Networks today announced the premiere of Cyber Talent Insights, a three-part special series podcast that guides listeners through effective strategies to develop cybersecurity teams in the constantly changing landscape of the industry. Read More
Multiple Chinese Hacking Groups Exploiting Ivanti Connect Secure VPN Flaw
[[{“value”:”
Cybersecurity firm Mandiant has uncovered a series of sophisticated cyberattacks targeting Ivanti Connect Secure VPN appliances.
These attacks, attributed to multiple Chinese nexus espionage groups, exploit critical vulnerabilities to facilitate lateral movement and compromise Active Directory systems.
This article delves into the intricate details of the CVEs involved, the clustering and attribution of these attacks, the deployment of new TTPs and malware, and the implications of such breaches.
CVEs: The Gateway to Exploitation
The initial disclosure of CVE-2023-46805 and CVE-2024-21887 on January 10, 2024, marked the beginning of a series of incident response engagements by Mandiant.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
These vulnerabilities, an authentication bypass and a command injection flaw, have been the focal points of exploitation attempts by suspected Chinese nexus espionage actors.
The exploitation of these vulnerabilities underscores the critical need for timely patching and the application of appropriate mitigations.
As per the latest report by Google, several Chinese hacking groups are currently leveraging the vulnerability in Ivanti Connect Secure VPN to carry out their malicious activities.
Clustering and Attribution
Mandiant’s investigations have led to the clustering of these cyberattacks under the activities of two primary groups: UNC5325 and UNC5337.
Both groups are suspected of having ties to China and using the CVEs above to compromise Ivanti Connect Secure VPN appliances.
The attribution to these groups is based on deploying custom malware families and evolving their tactics, techniques, and procedures (TTPs) to exploit appliance-specific functionalities.
New TTPs and Malware
The evolution of attacker methodologies has been evident in deploying new TTPs and malware.
UNC5337, in particular, has been observed leveraging multiple custom malware families, including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility.
These tools facilitate the persistence and lateral movement within compromised networks, showcasing the sophistication of these threat actors.
SPAWN Malware Family
The SPAWN malware family represents a significant advancement in the arsenal of these espionage groups.
PAWN malware family diagram
Each family component serves a unique purpose, from establishing backdoor access to facilitating network tunneling and tampering with logs to evade detection.
The deployment of these tools highlights the attackers’ strategic planning and technical prowess.
While the focus has been on exploiting Ivanti Connect Secure VPN appliances, Mandiant has also identified a campaign dubbed BRICKSTORM.
This campaign leverages similar tactics and malware to target other critical infrastructures, indicating a broader threat landscape and the adaptability of these espionage groups.
Lateral Movement Leading to Active Directory Compromise
One of the most concerning aspects of these attacks is the threat actors’ ability to leverage lateral movement techniques to compromise Active Directory systems.
UNC5330 attack path diagram
This not only allows for the escalation of privileges but also facilitates the exfiltration of sensitive information and the deployment of additional payloads across the network.
Multiple Chinese nexus espionage groups exploit Ivanti Connect Secure VPN flaws, representing a significant threat to global cybersecurity.
The deployment of new TTPs and malware, coupled with the ability to compromise critical systems, underscores the need for vigilant cybersecurity practices and the timely application of patches and mitigations.
As these threat actors evolve their strategies, the cybersecurity community must remain proactive in its defense measures to protect against such sophisticated attacks.