China’s UTA0178 Threat Group Backdoors 2,100 Ivanti VPN Appliances Via Recently Disclosed 0-Days

Cell phone screen with the word VPN

Image Source: Shutterstock

Attacker stealing sensitive system data, tampering with built-in Integrity Check to hide signs of malicious activity.

Multiple threat actors have joined Chinese advanced persistent threat group UTA0178 in targeting two recently disclosed zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances following the public release of a proof-of-concept exploit for the flaws this week.

One of the flaws, tracked as CVE-2023-46805 allows for remote authentication bypass awhile the other assigned as CVE-2024-21887 is a command injection vulnerability with a severity score of 9.1 on the 10-point CVSS scale. Both vulnerabilities are present in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. Attackers can exploit each flaw individually or chain them together for a more powerful punch.

Ivanti disclosed the two bugs on Jan 10, 2024. with a promise to release patches for them on a staggered basis with an initial version available to customers the week of Jan 22 and a final version targeted for the week of Feb 19. In the meantime, the company has released a mitigation for blocking potential exploitation attempts, which it has asked customers to implement immediately.

Quick take

What: More attackers are targeting two recently disclosed zero-day bugs in Ivanti Connect Secure and Ivanti Policy Secure Gateways (CVE-2023-46805 and CVE-2024-21887) after a proof-of-concept exploit for the bugs became publicly available this week

Who: Many of the attacks appear to be the work of UTA0178, a China-based threat actor engaged in cyber espionage.

How many: Security researchers at Volexity discovered at least 2,100 Ivanti ICS appliances worldwide that UTA0178 appears to have infected so fa4 with the GIFTEDVISITOR backdoor.

Why does it matter: VPN appliances such as the vulnerable Ivanti ICS instances are hugely popular attacker targets because of the privileged initial access they provide into corporate environments.

Where can I find IoCs: Volexity and SoCRadar are among several that have provided a list of IoCs to verify signs of compromise.

On Jan 18, security vendor Volexity reported finding at least 2,100 vulnerable Ivanti ICS VPN appliances that Chinese threat actor UTA0178 has infected so far with a backdoor dubbed GIFTEDVISITOR. The number marked a substantial increase from the 1,700 GIFTEDVISITOR-infected devices that Volexity had reported discovering earlier this week. Victims include organizations across multiple verticals include government, military defense and technology.

In many instances, the attacker has been stealing configuration data, web logs, and database files associated with accounts, session data and other information from Ivanti Connect Secure VPN appliances, Volexity said. “These files were then placed in various Internet-accessible folders to be downloaded remotely,” the security vendor said. “Volexity believes this is likely associated with UTA0178 and it may be partially automated.”

Volexity’s analysis showed that in addition to delivering the payload, UTC0178 has, in many cases, been quietly tampering with an archive file associated with a built-in tool (Integrity Checker) to hide signs of their malicious activity. “These modifications would result in the in-built Integrity Checker Tool always reporting that there were no new or mismatched files regardless of how many were identified. Administrative review of system logs would show no issues of concern,” Volexity said.

Volexity has published a complete list of IoCs for organizations that want to verify signs of compromise.