SOC News: Article

One Article Review

Accueil - L'article:

Source	Mandiant
Identifiant	8635099
Date de publication	2025-01-08 14:00:00 (vue: 2025-01-09 00:07:56)
Titre	Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Texte	Written by: John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed. On Wednesday, Jan. 8, 2025, Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow. Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network. Ivanti and its affected customers identified the compromise based on indications from the company-supplied Integrity Checker Tool (“ICT”) along with other commercial security monitoring tools. Ivanti has been working closely with Mandiant, affected customers, government partners, and security vendors to address these issues. As a result of their investigation, Ivanti has released patches for the vulnerabilities exploited in this campaign and Ivanti customers are urged to follow the actions in the Security Advisory to secure their systems as soon as possible. Mandiant is currently performing analysis of multiple compromised Ivanti Connect Secure appliances from multiple organizations. The activity described in this blog utilizes insights collectively derived from analysis of these infected devices and have not yet conclusively tied all of the activity described below to a single actor. In at least one of the appliances undergoing analysis, Mandiant observed the deployment of the previously observed SPAWN ecosystem of malware (which includes the SPAWNANT installer, SPAWNMOLE tunneler and the SPAWNSNAIL SSH backdoor). The deployment of the SPAWN ecosystem of malware following the targeting of Ivanti Secure Connect appliances has been attributed to
Notes	★★★
Envoyé	Oui
Condensat	#pkill $;$ $a=cgi::param $comparison1 $comparison2 $console $count $dd $dd=rc4 $ds $dsauth::reject $dsauth::restart $eol $eol; $html $key* $key1 $key2 $key3 $myline $mystep $mystep: $padding $padding/e $padding; $priv $prog $r7;/g $r7=accessallow $res $res; $res=@ $res=dsauthc::realmsignin $s* $s1 $s2 $s3 $s4 $s5 $s6 $s7 $sh $sl* $sl1 $sl2 $sleep $ssh* $ssh1 $ssh2 $ssh3 $ssh4 $str1 $str10 $str2 $str3 $str4 $str5 $str6 $str7 $str8 $str9 $tgz $up $useupgradepartition aut24604 dsauthc::realmsignin err10073 fh fh; runsignin runsigninebsl setprompt sys31048 sys31376 web ++$count; /bin /bin/bash /bin/chmod /bin/cp /bin/dd /bin/mkdir /bin/mount /bin/rm /bin/sh /bin/sleep /bin/tar /dana /data/upgrade/new /data/var/cores/ /data/var/dlogs/ /data/var/log/audit/ /data/var/statedumps/* /data/versions/reset/version /dev/null /gs /home/bin/dsrunpriv /home/bin/openssl /home/bin/remotedebug /home/etc/manifest/manifest /home/etc/manifest/manifest; /home/lib/libsocks5 /home/lib/libsshd /home/perl/dsauth /home/perl/dsupgrade /home/runtime/logs /home/version /home/version\|grep /home/webserver/htdocs/dana /ifttls/d /jam/getcomponent /lib/libupgrade /main /mount/d /pkg/dspkginstall /rm/d /root/home/lib/libsocks5 /root/home/lib/libsshd /root/home/version /root/lib/libupgrade /runtime/mtmp/lmdb /segfault/d /setenforce/d /ssl /sub /systemerror/d /tlsconnectionpoint/d /tmp /tmp/ /tmp/data/ /tmp/data/root/home/etc/manifest/ /tmp/data/root/home/etc/manifest/manifest /tmp/data/root/home/lib /tmp/data/root/lib /tmp/lmdbcerr /tmp/s /tmp/s>/tmp/kn; /tmp/svb /tmp/svb; /var/tmp/new /web/d 0282 0283 0;popen 0fb49e3e2h 0x464c457f 13; 16h 1bc38361h 2023 2024 2025 2048 20kb 21887 2615 2>&1 3191 3221 3431 443 445 46805 4f79c70cce4207d0ad57a339a9c7f43c 514 5655c038 5655c125 5655c128 6514 666 6777 777 7r2 9+/\|; ;/g ;/processupgradedisplay ;return /home/bin/remotedebug >>/tmp/cmdmmap ability above abridged accept access accessallow accessed accessible account accounts accurately acknowledgement across actions activated active activity actor actors add additional additionally address administrator administrators advisory affected affects after again ainsworth all allow allowed allows along already also amount analysis analysts andonov anti any api appear appearance appended appending appliance appliance: appliances application appropriate apt arbitrary archive archived archives archiving are areas arguments article ascii assess assessed assesses assigns assist assistance associated attacker attempt attempting attempts attributed attribution audit authenticate authentication authentications author available back backdoor backdoors bak bar base base64 based bash been before beginning behavior being belongs below benign between binary block blocked blocking blog bom box brief bs=4096 buffer built busybox but by: bypass bytes c;bash cache cached/hc/hc call callbacks calling calls campaign can cannot capabilities capable captures careful case cc/d certificate certificates cgi cgi::param changes channel channels chdir checker checks china chmod circumvent class= clean clearing client close closely cluster cmdmmap cmp cn= cn=* cn=managed cnn1y cnn1yib code code: coded col collection collectively com combines command commands commercial communication community company comparisons compcheckresult compiled complete component components compromise compromised concept conclusion conclusively condition: confidence configured conjunction connect contact contain containing contains content contents continue continued continuing control control: controls convincing cookies copies core core::close core::open could count=1 countries crash crashes create created creation credential credentials credtheft crypt::rc4; css current currently custom customers cutting cve cyberoam d/id d18e5425ecd9608ecb992606b974e15d d4e46eed76ad86f08a40993c3e340bab daniel data database day dc= debug debuglog dec december decode decoded decodes defenders defined deleting deploy deploying deployment derived described description designed details detect detected detection detect
Tags	Malware Tool Vulnerability Threat Industrial Cloud Commercial
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ne semble pas avoir été repris sur un précédent.