Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Hacker Groups. Show all posts

Researchers Uncover Numerous Chinese Hacker Collectives Exploiting Ivanti Security Vulnerabilities

 

Several threat actors with connections to China have been identified as responsible for exploiting three security vulnerabilities affecting Ivanti appliances. These vulnerabilities are identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant, a cybersecurity firm, has been monitoring these clusters of threat actors, identifying them under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Among them, UNC3886, a Chinese hacking group, has been previously known for exploiting zero-day bugs in Fortinet and VMware systems to infiltrate networks.

Financially motivated actors have also been observed exploiting CVE-2023-46805 and CVE-2024-21887, likely for cryptocurrency mining purposes.

UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said

Post-exploitation activities by these threat actors often involve deploying malicious tools such as the Sliver command-and-control framework, WARPWIRE credential stealer variant, and a new backdoor named TERRIBLETEA, which comes with various functionalities like command execution and keylogging.

UNC5330 has been combining CVE-2024-21893 and CVE-2024-21887 to target Ivanti Connect Secure VPN appliances, leveraging custom malware like TONERJAM and PHANTOMNET for further actions. These include reconnaissance, lateral movement, and compromising LDAP bind accounts for higher privileges.

UNC5337, another China-linked group, has been using CVE-2023-46805 and CVE-2024-218 to infiltrate Ivanti devices since January 2024, deploying a custom malware toolset known as SPAWN. This toolset includes components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH, designed for stealthy and persistent backdoor access.

Mandiant assesses with medium confidence that UNC5337 and UNC5221 might be the same group, highlighting the sophistication of their tools aimed at avoiding detection.

UNC5221 has also been associated with various web shells and a Perl-based web shell called ROOTROT, which is embedded into legitimate files to evade detection. Successful deployment of these shells leads to network reconnaissance and lateral movement, potentially compromising vCenter servers with a Golang backdoor named BRICKSTORM.

Finally, UNC5291, likely associated with another group called UNC3236, has been targeting academic, energy, defense, and health sectors, focusing on Citrix Netscaler ADC initially before shifting to Ivanti Connect Secure devices.

These findings emphasize the ongoing threat posed by edge appliances, with threat actors utilizing a combination of zero-day vulnerabilities, open-source tools, and custom backdoors to evade detection and maintain access to networks for extended periods. access to target systems.

Rival Cybercrime Groups Offer Conflicting Accounts of Casino Attack

 

In the latest development, members of the hacking group Scattered Spider have asserted that they were the initial perpetrators of the MGM network breach last week. 

However, the ransomware gang Alphv, also known as Black Cat, countered this claim with a detailed statement on their dark-web platform, insisting that they were the true culprits.

Alphv's statement, while claiming responsibility, left a crucial question unanswered: whether Scattered Spider was acting as an affiliate of Alphv or an independent group utilizing Alphv-developed ransomware. This conflicting narrative is further muddying an already tumultuous news cycle, marked by speculative discussions on social media.

Definitive confirmation regarding the identity of the MGM attacker remains elusive until either the company or law enforcement authorities release public details about the incident. 

Both Scattered Spider and Alphv represent significant cyber threats in their own right, according to experts. Scattered Spider, believed to be comprised of young adults in the U.S. and the U.K., is notorious for employing social engineering tactics in their attacks. 

Charles Carmakal, CTO at Google Cloud's Mandiant, noted their recent use of Alphv's encryption. Their past exploits include a high-profile attack affecting over 130 organizations, resulting in the theft of more than 10,000 employees' login credentials.

Meanwhile, Alphv, thought to be based in Russia, has earned a reputation for conducting ruthless and widespread attacks. Their tactics have included releasing sensitive images from breast cancer patients' examinations while extorting the Lehigh Valley Health Network earlier this year. Notable victims have also included Western Digital and Sun Pharmaceuticals.

In the realm of ransomware, identities are intentionally obscured to hinder law enforcement's efforts to trace attacks back to their source. It's not uncommon for a major ransomware operator to claim credit for an attack initiated by an affiliate. Additionally, a larger group like Alphv could independently carry out an entire attack internally.

Ultimately, MGM, in conjunction with the FBI and third-party cyber incident response firms, will possess the most reliable information regarding the assailant's identity and the specifics of how the breach occurred.