TLDR:
- Security agencies warn attackers could gain persistence on Ivanti VPN appliances
- Attackers could bypass integrity checks and survive factory resets
Security agencies from several nations have issued a warning that attackers have been able to deceive integrity checking tools provided by Ivanti in response to recent attacks exploiting zero-day vulnerabilities in its Connect Secure and Policy Secure gateways. The attackers have also identified a technique in a lab setting that could be used to achieve malware persistence on Ivanti devices despite factory resets. Ivanti has responded by releasing an enhanced version of its external integrity checking tool (ICT) to address these vulnerabilities. However, incident response engagements have revealed that both internal and external integrity checking tools provided by Ivanti failed to detect compromises in some cases.
Mandiant has observed limited attacks perpetrated by a China-based APT group that displayed a high level of knowledge and familiarity with the internal workings of Ivanti SSL VPN gateways. The group has been using living-off-the-land (LotL) techniques and novel malware such as LITTLELAMB.WOOLTEA to evade detection and persist across system upgrades, patches, and factory resets. The attackers have deployed a backdoor called BUSHWALK written in Perl to maintain access to compromised devices. Additionally, they have devised methods to make backdoors persist across system patches and factory resets using various techniques.
The authorities recommend network defenders to assume compromised credentials stored within Ivanti VPN appliances and hunt for malicious activity using detection methods and indicators of compromise (IoCs) provided. Organizations are advised to run Ivanti’s most recent external ICT, apply available patching guidance, and collect and analyze logs and artifacts to detect malicious activity. The agencies have suggested continuous monitoring of Ivanti devices and considering the risks of keeping them on their networks due to the potential for sophisticated threat actors to deploy persistent rootkits.