Chinese threat actors have persisted in exploiting recent Ivanti Connect Secure VPN vulnerabilities, as reported by Mandiant. Despite the flaws being patched on January 31, with one addressed earlier, attackers continued to exploit them, specifically targeting a server-side request forgery (SSRF) vulnerability (CVE-2024-21893) to deploy new malware families such as LittleLamb.WoolTea, PitStop, Pitdog, PitJet, and PitHook. Mandiant attributes these attacks to a Chinese threat actor identified as UNC5325, which is linked to UNC3886, known for targeting defense, technology, and telecommunication organizations in the US and APJ regions. UNC5325 demonstrated a nuanced understanding of Ivanti’s VPN appliance, deploying web shells, backdoors, and persistently injecting shared objects like LittleLamb.WoolTea and PitHook, despite some persistence attempts failing due to encryption key differences. Mandiant concludes that these tactics highlight the sophistication of Chinese threat actors in leveraging zero-day vulnerabilities and targeting edge infrastructure.
Read more: https://www.securityweek.com/chinese-cyberspies-use-new-malware-in-ivanti-vpn-attacks/