Ivanti attacks linked to espionage group targeting defense contractors

The China-linked threat group responsible for a concerted attack on Ivanti network devices has developed “significant knowledge” of the appliances, researchers believe.

So far this year, Ivanti has issued patches for five high- and critical-severity vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for Zero Trust Access appliances.

While researchers have previously said they suspected a Chinese nation-state threat actors were responsible for exploiting the vulnerabilities, attribution to a specific group has remained elusive.

In a Feb. 27 post, researchers at Mandiant — who were hired by Ivanti to help mitigate the impact of the attacks — have linked the actors to another threat group believed to have used similar techniques in the past to target virtualization technologies.

Mandiant is tracking the actors responsible for the Ivanti attacks as UNC5325 and said in its post the group was using a combination of living-off-the-land techniques to evade detection and novel malware to persist across system upgrades, patches and factory resets. (Mandiant uses a UNC prefix to label “uncategorized” threat groups that have not been fully defined.)

“While the limited attempts observed to maintain persistence have not been successful to date due to a lack of logic in the malware's code to account for an encryption key mismatch, it further demonstrates the lengths UNC5325 will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches,” the researchers said.

Who's behind UNC5325 threat group?

UNC5325 was a suspected Chinese cyberespionage operator responsible for exploiting CVE-2024-21893, a vulnerability disclosed and patched by Ivanti on Jan. 31.

The group’s tactics, techniques and procedures (TTPs) and malware deployment “showcase the capabilities that suspected China-nexus espionage actors have continued to leverage against edge infrastructure in conjunction with zero days,” the researcher said.

They compared UNC5325 to another uncategorized Chinese threat group (UNC4841) believed to be responsible for a string of attacks last year against Barracuda Networks’ Email Security Gateway appliances.

“Similar to UNC4841’s familiarity with Barracuda ESGs, UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets,” the researchers said.

“Mandiant expects UNC5325 as well as other China-nexus espionage actors to continue to leverage zero-day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.”

The research firm assessed with moderate confidence that UNC5325 was associated with another Chinese nation-state gang, UNC3886, which is believed to be responsible for attacks in 2022 on VMware ESXi hosts and other virtualization technologies.

The researchers said UNC3886 primarily targeted the defense industrial base, technology, and telecommunication organizations in the U.S. and Asia-Pacific regions.

“We are continuing to gather evidence and identify overlaps between UNC3886 and other suspected Chinese espionage groups, including targeting and the use of distinct tactics, techniques, and procedures.”

Meanwhile, on Feb. 27, Ivanti published a new security advisory relating to the attacks on its network appliances, and advised customers it had released an enhanced version of an external integrity checker tool customers could use to check the security of their appliances.

“We continue to intensely review risks and evolving threat actor techniques,” the vendor said in the advisory.