Adrian Johnson
TLDR:
- Mandiant released new research on ongoing investigation into Ivanti zero-day exploitation by threat actor UNC5325
- Recommendations for Ivanti customers to take immediate action for protection
Mandiant’s research on Ivanti Connect Secure VPN exploitation by threat actor UNC5325 reveals the use of living-off-the-land techniques and novel malware to evade detection and remain embedded in devices. Customers are urged to take action to protect their systems by following Ivanti’s security advisory and using the external integrity checker.
Key findings include the impact on thousands of organizations, the suspected link to Chinese cyber espionage, and code overlap with malware used by another PRC cyber espionage group. Although UNC5325 is not linked to Volt Typhoon, the threat actor’s sophisticated knowledge of Ivanti devices poses a significant risk.
Despite similarities with another threat actor UNC5221, Mandiant currently tracks UNC5325 and UNC5221 as separate entities due to insufficient data. Ivanti customers are advised to refer to Mandiant’s Hardening Guide for the latest recommendations on protecting their systems.
Full Article:
Mandiant’s investigation into the Ivanti Connect Secure VPN exploitation by threat actor UNC5325 has revealed a sophisticated use of living-off-the-land techniques and novel malware to evade detection and maintain access to devices. The threat actor, suspected to be a Chinese cyber espionage operator, has impacted thousands of organizations across various industry verticals.
Previous patches were effective in preventing infiltration if applied before UNC5325 accessed an organization’s systems. However, the threat actor’s nuanced understanding of Ivanti devices poses a significant challenge for customers. Some of the malware used by UNC5325 shows code overlap with malware used by UNC3886, another PRC cyber espionage group identified by Mandiant.
While UNC5325 and UNC3886 are distinct threat actors, similarities with UNC5221 raise questions about potential connections. Mandiant currently tracks UNC5325 and UNC5221 separately due to a lack of conclusive data. Ivanti customers are urged to take immediate action to protect their systems by following Ivanti’s security advisory and using the external integrity checker.
Overall, the investigation highlights the need for organizations to be vigilant about the evolving threat landscape and take proactive measures to secure their systems against sophisticated threat actors like UNC5325. Mandiant’s ongoing research serves as a reminder of the importance of staying informed and implementing recommended security measures to mitigate risks.
