Security News > 2024 > February > State-sponsored hackers know enterprise VPN appliances inside out

Suspected Chinese state-sponsored hackers leveraging Ivanti Connect Secure VPN flaws to breach a variety of organizations have demonstrated "a nuanced understanding of the appliance", according to Mandiant incident responders and threat hunters.

"While the limited attempts observed to maintain persistence have not been successful to date due to a lack of logic in the malware's code to account for an encryption key mismatch, it further demonstrates the lengths UNC5325 will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches," Mandiant's specialists noted.

The most interesting thing about the attacks is not the exploitation of previously unknown vulnerabilities and the bypassing of mitigations employed to fix them, but the specialized knowledge leveraged by the attackers to achieve persistence on targeted devices despite enterprise defenders' efforts.

"We identified a technique allowing BUSHWALK to remain in an undetected dormant state by creatively modifying a Perl module and LotL technique by using built-in system utilities unique to Ivanti products," they shared.

State-sponsored hacking groups compromising edge devices to achieve a foothold into organizations is not news, but it's becoming increasingly obvious that they know the target devices inside out.

Dutch intelligence services reported earlier this month that Chinese state-sponsored hackers had breached the Dutch Ministry of Defense in 2023 and deployed a new remote access trojan specifically built for Fortinet's FortiGate appliances.

News URL

https://www.helpnetsecurity.com/2024/02/28/hackers-enterprise-vpn-appliances/