New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities

By neub9
1 Min Read

Feb 01, 2024


Network Security / Malware

Google-owned Mandiant reported the discovery of new malware being used by a China-based espionage threat actor known as UNC5221 and other threat groups. This malware was found during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices.

The identified malware includes custom web shells such as BUSHWALK, CHAINLINE, and FRAMESTING, as well as a variant of LIGHTWIRE.

“CHAINLINE is a Python web shell backdoor that is embedded in an Ivanti Connect Secure Python package, allowing arbitrary command execution,” the company reported. It is also associated with the detection of multiple new versions of WARPWIRE, a JavaScript-based credential stealer.

The infection chains involve the exploitation of CVE-2023-46805 and CVE-2024-21887, which enable an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *