Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network.
Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor, currently being tracked as UNC5221.
Post Exploitation Activity Following the successful exploitation of CVE-2023-46805 and CVE-2024-21887, UNC5221 leveraged multiple custom malware families, in several cases trojanizing legitimate files within CS with malicious code.
Due to certain sections of the device being read-only, UNC5221 leveraged a Perl script to remount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling.
The LIGHTWIRE and WIREFIRE web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances.
Custom Malware Identified ZIPLINE Passive Backdoor ZIPLINE is a passive backdoor that hijacks an exported function, accept(), from the file libsecure.
File Upload. The command contains the path of the file to be sent to the connected host.
File Download. The command contains the file path and its content to be saved on the compromised system.
A reverse shell is created using /bin/sh and the provided command is executed.
Root
, and then appends this string to each file within the.
THINSPOOL Dropper THINSPOOL is a dropper written in shell script that writes the web shell LIGHTWIRE to a legitimate CS file.
THINSPOOL will re-add the malicious web shell code to legitimate files after an update, allowing UNC5221 to persist on the compromised devices.
LIGHTWIRE and WIREFIRE Web Shells LIGHTWIRE is a web shell written in Perl CGI that is embedded into a legitimate Secure Connect file to enable arbitrary command execution.
WIREFIRE is a web shell written in Python that exists as trojanized logic to a component of the Connect Secure appliance.
WIREFIRE supports downloading files to the compromised device and executing arbitrary commands.
WARPWIRE captures credentials submitted during the web logon to access layer 7 applications, like RDP. Captured credentials are Base64-encoded with btoa() before they are submitted to the C2 via a HTTP GET request.
Mandiant has previously observed multiple suspected APT actors utilizing appliance specific malware to enable post-exploitation and evade detection.
UNC5221 primarily used compromised out-of-support Cyberoam VPN appliances for C2. These compromised devices were domestic to the victims, which likely helped the threat actor to better evade detection.
Conclusion & Recommendations UNC5221's activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors.
As we have previously reported, the combination of zero-day exploitation, edge device compromise, use of compromised C2 infrastructure, and detection evasion methods such as writing code to legitimate files have become a hallmark of espionage actors' toolboxes.
This Cyber News was published on www.mandiant.com. Publication date: Fri, 12 Jan 2024 00:43:05 +0000