SOC News: Article

One Article Review

Accueil - L'article:

Source	Mandiant
Identifiant	8500398
Date de publication	2024-04-04 14:00:00 (vue: 2024-05-15 19:06:53)
Titre	Cutting avant, partie 4: Ivanti Connect Secure VPN Post-Exploitation Mouvement latéral Études de cas Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
Texte	Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant\'s previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325. This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied. Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we\'ve seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives. As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti\'s latest patching guidance and instructions to prevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening guide
Notes	★★★
Envoyé	Oui
Condensat	$arg $arg=decode $code $code* $comparison1 $comparison2 $context $dslog $error $func* $func1 $func2 $func3 $func4 $hook1 $hook2 $hook3 $key $key* $key1 $key2 $key3 $output $output; $p00 $phantomnet $priv $s* $s1 $s10 $s11 $s12 $s13 $s14 $s15 $s2 $s3 $s4 $s5 $s6 $s7 $s8 $sl* $sl1 $sl2 $ssh* $ssh1 $ssh2 $ssh3 $ssh4 $v* $v1 $v3 *invokespawndllreq /api/file/change /api/file/delete /api/file/file /api/file/get /api/file/list /api/file/mkdir /api/file/put /api/file/rename /api/file/slice /api/file/stat /api/file/up /bin/cron /bin/sh /dana /data/runtime/tmp/tt/setcookie /etc/profile /home/ /home/bin/logd /home/bin/netmon /home/config/logd /home/runtime/logd /home/vsphere /opt/vmware/sbin /opt/vmware/sbin/vami /tmp/ 08a817e0ae51a7b4a44bc6717143f9c2 0fb49e3e2h 0x00004550 0x13 0x1b 0x1bc38361 0x3c 0x464c457f 0x5a4d 0xbebafeca 0xcefaedfe 0xfb49e3e2 0xfeedface 0xfeedfacf 1/dns 103 11/dns 110 112 112/dns 11539 129 138 14000 142 149 160/dns 16h 17000 188 191 193 196 199 1bc38361h 2019 2020 2021 2022 2023 2024 206 218 21887 21893 240 28000 3700 3ef30bc3a7e4f5251d8c6e1d3825612d 4/dns 41ffc14183f9 4645f2f6800bc654d5fa812237896b00 46805 4883c0 488941 488b41 488d0d 488d40 488d4c24 4acfc5df7f24c2354384f7449280d9e0 4acfc5df7f24c2354384f7449280d9e0 4f68862d3170abd510acd5c500e43548 4f79c70cce4207d0ad57a339a9c7f43c 4kb 5655c038 5655c125 5655c128 59f4d38a5caafbc94673c6d488bf37e3 5ecd0c38501dfb02b682cec0a2d93aa9 668338 6mb 71b4368ef2d91d49820c5b91f33179cb 8/dns 8030 8218 8300 846369b3a3d4536008a6e1b92ed09549 8e429d919e7585de33ea9d7bb29bc86b 9/dns 9d0b6276cbc4c8b63c269e1ddc145008 9d684815bc96508b99e6302e253bc292 catch >type Code a=`ps ability about abuse abused abuse abusing academic accept accepted accepts access accessed account achieve achieved acknowledge across activated active activescript activity actor actors adc add adding addition additional additionally address addresses admin administrator advisory aes affected afs after against agency aggressively akapush aligns all allow alongside also amd64 among analysis anonymous any api appears append appliance appliances applications applied appropriate april apt arbitrary are article artifacts ascii asciia ashley aspera assess assessed assesses associated assumed assumes attack attacker attacks attempt attempted attempting attempts attribution austin authentication author authors available avoid b210a9a9f3587894e5a0f225b3a6519f back backdoor backdoor; banner base64 based bash bb3b286f88728060c80ea65993576ef8 been before begins behavior being believes below benign billy binary bind binds bishop block blocks blog bom both box brickstorm buffer built by: bypass bytes c251afe252744116219f885980f2caea c7ffd2c06e9b7e8e0b7ac92a0dbe3294 calculates callbacks called calls campaign can capabilities capable captures capturing case certificate cfca610934b271c26437c4ce891bad00 cfg cgi cgi::param chaining change channel checker checking checks chew child china chmod chunks cisa citrix class= close closely cluster clustering clusters cmd cmp code coded col collaboration com com/gorilla/mux command commands comments common communicate communicates communication communications comparisons compiled components comprehensive compromise compromised computer computers condition: conducted confidence configuration configured configures conjunction connect connection consistent console consumers contains contents continue continues control controlling convention copied copies copy copying core coreboot correct cpanel crackmapexec craft create created creates creating creation credential credentials critical crypto curl current custom customers cutting cve cves cybersecurity d/cron d/id d88bbed726d79124535e8f4d7de5592e daemon darwin dat data day dce/rpc dcsync dcsyncs dec december decoded decrypts default defenders defense defined deleted deletes depending deploy deployed deployment depth derived descr description descriptor designed desktop destination detailed detailing details detect detection detects determine dev developed device devices diagram did die different dir directly directory disable disclosu
Tags	Malware Tool Vulnerability Threat Studies Mobile Cloud
Stories	Guam
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ne semble pas avoir été repris sur un précédent.