Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware
29-Feb-24
Suspected China-linked cyber espionage clusters, UNC5325 and UNC3886, exploit Ivanti Connect Secure VPN flaws, particularly the CVE-2024-21893 SSRF vulnerability, to deploy new malware such as LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. UNC3886 has a history of leveraging zero-day flaws in Fortinet and VMware solutions. Mandiant attributes UNC5325 to UNC3886 due to source code overlaps, indicating a sophisticated understanding of the Ivanti appliance and a nuanced approach to subverting detection. Another China-sponsored group, Volt Typhoon, targets U.S. electric entities and telecommunications, with evidence linking it to UTA0178, which exploited Ivanti Connect Secure flaws in December 2023.
