Mandiant uncovers intricate UNC5325 cyber attacks on Ivanti devices
Mandiant, a cybersecurity vendor, has today disclosed new findings from its ongoing investigation into the pervasive exploitation of an Ivanti zero-day vulnerability. Its research reveals that the threat actor, identified as UNC5325, is employing a mix of 'living-off-the-land' (LotL) techniques to thwart detection, as well as launching innovative malware in an attempt to remain entrenched in Ivanti devices, despite system reboots, upgrades, and patches.
Mandiant's researchers highlight that these fresh insights underscore UNC5235's intricate understanding and extensive familiarity with the Ivanti Connect Secure appliance. In light of these revelations, the cybersecurity firm is strongly advising Ivanti users who haven't yet done so to swiftly adopt protective measures to secure their devices.
This necessary action entails adhering to Ivanti's recent security advisory, utilising Ivanti's novel external integrity checker, and consulting Mandiant's updated 'Hardening Guide', which incorporates the most current recommendations.
Key findings from the research disclose that UNC5325, a suspected Chinese cyber espionage operator, likely exploited Ivanti zero-days, impacting thousands of devices across numerous industry sectors, including the U.S. defence industrial base sector. Notably, Mandiant has found no evidence suggesting a link between UNC5325 and the Volt Typhoon.
Prior patches proved successful but only when implemented before UNC5325 infiltrated an organisation. Some of the malware UNC5325 deployed exhibits code overlap with malware previously identified as being utilised by UNC3886. This group is another PRC cyber espionage group that Mandiant had previously identified as leveraging novel techniques to impact VMware ESXi hosts.
On the basis of these findings, Mandiant suspects, with a moderate degree of certainty, that UNC5325 is potentially UNC3886. Concurrently, UNC3886 shares similar Tactics, Techniques and Procedures (TTPs) with UNC5221, a third group initially identified by Mandiant as exploiting Ivanti zero-days. However, the cybersecurity firm currently lacks sufficient data to definitively establish if UNC5325 and UNC5221 are, in fact, the same actor.
Given this state of uncertainty, both UNC5325 and UNC5221 are currently being treated as separate threat actors by Mandiant until further data can shed more light on their potential association. These revelations underline the complex and evolving nature of cyber threats faced by organisations and emphasise the need for continuous vigilance and adoption of robust cybersecurity measures.