Security agencies from several nations warn that attackers were able to deceive the integrity checking tools provided by Ivanti in response to the recent attacks exploiting zero-day vulnerabilities in its Connect Secure and Policy Secure gateways. The agency also identified a technique in a lab setting that could be used to achieve malware persistence on Ivanti devices despite factory resets.

“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” the US Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory co-authored with the US Federal Bureau of Investigation (FBI), the Australian Signals Directorate, the UK’s National Cyber Security Centre, Canada’s Communications Security Establishment (CSE), and New Zealand’s National Cyber Security Centre.

Ivanti responded by releasing an enhanced version of its external integrity checking tool (ICT) and said it believes the persistence technique devised by CISA in its lab would not work in a live customer environment because attackers would lose their connection to the device.

Integrity checker failed to detect compromises in some cases

CISA identified during multiple incident response engagements that both the internal and external integrity checking tools provided by Ivanti failed to detect the existing compromises. These are tools that check important areas of the file system for modifications and known signs that could indicate an attack.

However, since these tools execute periodically and not continuously — the internal one checks every two hours — malware authors could attempt to evade detection by activating their malware in between the scans. This is exactly what incident response firm Mandiant has observed in limited attacks perpetrated by a China-based APT group that it tracks as UNC5325. This group started exploiting the CVE-2024-21893 vulnerability hours after Ivanti publicly disclosed it on January 31 and displayed a high level of knowledge and familiarity with the internal workings of Ivanti SSL VPN gateways, suggesting it has reversed-engineered these devices.

“Notably, Mandiant has identified UNC5325 using a combination of living-off-the-land (LotL) techniques to better evade detection, while deploying novel malware such as LITTLELAMB.WOOLTEA in an attempt to persist across system upgrades, patches, and factory resets,” the company said in a report this week.

One of the implants deployed by UNC5325 is a web shell — a web-based remote access backdoor — dubbed BUSHWALK that’s written in Perl and embedded into a legitimate Ivanti Connect Secure component called querymanifest.cgi. In the most recent attacks, the group used a new variant of this shell and a technique that allowed them to enable and disable it based on the user-agent string specified in requests sent to the shell.