Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
Tags
Common Information
Type | Value |
---|---|
UUID | 9e79ec8c-a373-4185-8d9d-05cea91bd92f |
Fingerprint | 2d7e88714479d204 |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | Jan. 9, 2025, midnight |
Added to db | Jan. 9, 2025, 1:26 a.m. |
Last updated | Jan. 20, 2025, 12:53 p.m. |
Headline | Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation |
Title | Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog |
Detected Hints/Tags/Attributes | 103/3/31 |
Source URLs
URL Provider
RSS Feed
Details | Id | Enabled | Feed title | Url | Added to db |
---|---|---|---|---|---|
Details | 437 | ✔ | Threat Intelligence | https://cloudblog.withgoogle.com/topics/threat-intelligence/rss/ | 2024-08-30 22:08 |
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | CVE | 67 | cve-2025-0282 |
|
Details | CVE | 50 | cve-2025-0283 |
|
Details | CVE | 62 | cve-2023-46805 |
|
Details | CVE | 80 | cve-2024-21887 |
|
Details | Domain | 7 | dsupgrade.pm |
|
Details | Domain | 2 | main.cc |
|
Details | Domain | 4 | log.events |
|
Details | Domain | 1 | libupgrade.so |
|
Details | Domain | 1 | libsocks5.so |
|
Details | Domain | 3 | libsshd.so |
|
Details | Domain | 1 | liblogblock.so |
|
Details | Domain | 14 | duosecurity.com |
|
Details | Domain | 3 | dsauth.pm |
|
Details | Domain | 138 | ld.so |
|
Details | Domain | 9 | scanner.py |
|
Details | File | 1 | remotedebug.bak |
|
Details | File | 1 | cgi.bak |
|
Details | File | 1 | pm.bak |
|
Details | File | 24 | audit.log |
|
Details | File | 9 | scanner.py |
|
Details | md5 | 2 | e7d24813535f74187db31d4114f607a1 |
|
Details | md5 | 1 | 4f79c70cce4207d0ad57a339a9c7f43c |
|
Details | md5 | 2 | d18e5425ecd9608ecb992606b974e15d |
|
Details | md5 | 1 | d4e46eed76ad86f08a40993c3e340bab |
|
Details | Mandiant Uncategorized Groups | 16 | UNC5337 |
|
Details | Mandiant Uncategorized Groups | 25 | UNC5221 |
|
Details | Yara rule | 1 | rule M_APT_Installer_SPAWNSNAIL_1 { meta: author = "Mandiant" description = "Detects SPAWNSNAIL. SPAWNSNAIL is an SSH backdoor targeting Ivanti devices. It has an ability to inject a specified binary to other process, running local SSH backdoor when injected to dsmdm process, as well as injecting additional malware to dslogserver" md5 = "e7d24813535f74187db31d4114f607a1" strings: $priv = "PRIVATE KEY-----" ascii fullword $key1 = "%d/id_ed25519" ascii fullword $key2 = "%d/id_ecdsa" ascii fullword $key3 = "%d/id_rsa" ascii fullword $sl1 = "[selinux] enforce" ascii fullword $sl2 = "DSVersion::getReleaseStr()" ascii fullword $ssh1 = "ssh_set_server_callbacks" ascii fullword $ssh2 = "ssh_handle_key_exchange" ascii fullword $ssh3 = "ssh_add_set_channel_callbacks" ascii fullword $ssh4 = "ssh_channel_close" ascii fullword condition: uint32(0) == 0x464c457f and $priv and any of ($key*) and any of ($sl*) and any of ($ssh*) } |
|
Details | Yara rule | 1 | rule M_APT_Installer_SPAWNANT_1 { meta: author = "Mandiant" description = "Detects SPAWNANT. SPAWNANT is an Installer targeting Ivanti devices. Its purpose is to persistently install other malware from the SPAWN family (SPAWNSNAIL, SPAWNMOLE) as well as drop additional webshells on the box." strings: $s1 = "dspkginstall" ascii fullword $s2 = "vsnprintf" ascii fullword $s3 = "bom_files" ascii fullword $s4 = "do-install" $s5 = "ld.so.preload" $s6 = "LD_PRELOAD" $s7 = "scanner.py" condition: uint32(0) == 0x464c457f and 5 of ($s*) } |
|
Details | Yara rule | 1 | rule M_APT_Tunneler_SPAWNMOLE_1 { meta: author = "Mandiant" description = "Detects a specific comparisons in SPAWNMOLE tunneler, which allow malware to filter put its own traffic . SPAWNMOLE is a tunneler written in C and compiled as an ELF32 executable. The sample is capable of hijacking a process on the compromised system with a specific name and hooking into its communication capabilities in order to create a proxy server for tunneling traffic." md5 = "4f79c70cce4207d0ad57a339a9c7f43c" strings: $comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2] 3C 01 0F 85 } $comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3 1B 0F 85 } condition: uint32(0) == 0x464c457f and all of them } |
|
Details | Yara rule | 1 | rule M_Dropper_PHASEJAM_1 { meta: author = "Mandiant" description = "Hunting rule looking for strings identified in the PHASEJAM dropper" md5 = "d18e5425ecd9608ecb992606b974e15d" strings: $str1 = "AccessAllow()" $str2 = "/jam/getComponent.cgi" $str3 = "jam/getComponent.cgi.bak" $str4 = "sh=$(echo CnN1Y" $str5 = "up=$(echo CnN1Y" $str6 = "grep -q 'sub AccessAllow()'" $str7 = "cp -f /home/bin/remotedebug /home/bin/remotedebug.bak" $str8 = "chmod 777 /home/bin/remotedebug.bak" $str9 = "cp -f /home/perl/DSUpgrade.pm /home/perl/DSUpgrade.pm.bak" $str10 = "pkill cgi-server" condition: 8 of them and filesize < 20KB } |
|
Details | Yara rule | 1 | rule M_Credtheft_DRYHOOK_1 { meta: author = "Mandiant" description = "Hunting rule looking for strings identified in the DRYHOOK credential stealer" md5 = "d4e46eed76ad86f08a40993c3e340bab" strings: $str1 = "/home/perl/DSAuth.pm" $str2 = "replace_content" $str3 = "replace1_content" $str4 = "replace2_content" $str5 = "pkill cgi-server" $str6 = "setPrompt =" $str7 = "runSignin = \\*DSAuthc::RealmSignin_runSignin" $str8 = "/bin/mount -o remount,rw / > /dev/null 2>&1" $str9 = { 64 61 74 61 20 3D 20 72 65 2E 73 75 62 28 62 22 5C 2A 72 75 6E 53 69 67 6E 69 6E 45 42 53 4C 20 3D 2E 2A 3B 22 2C 62 61 73 65 36 34 2E 62 36 34 64 65 63 6F 64 65 28 72 65 70 6C 61 63 65 32 5F 63 6F 6E 74 65 6E 74 2E 65 6E 63 6F 64 65 28 29 29 2E 64 65 63 6F 64 65 28 29 2E 65 6E 63 6F 64 65 28 22 75 6E 69 63 6F 64 65 5F 65 73 63 61 70 65 22 29 2C 64 61 74 61 29 } condition: 8 of them and filesize < 20KB } |