Mandiant released new research today about its on-going investigation into the widespread Ivanti zero-day exploitation, revealing that the threat actor – currently tracked as UNC5325 – is using a combination of living-off-the-land (LotL) techniques to better evade detection, and deploying novel malware in an attempt to remain embedded in Ivanti devices, even after factory resets, system upgrades, and patches.
According to Mandiant’s researchers, these new findings demonstrate UNC5235 has a “nuanced understanding” and “significant knowledge” of the Ivanti Connect Secure appliance.
As a result, Mandiant is urging Ivanti customers to “immediately take action to ensure protection if they haven’t done so already,” by following Ivanti’s new security advisory, using Ivanti’s new external integrity checker, and referring to Mandiant’s updated Hardening Guide, which includes the latest recommendations.
Key findings on what we know and don’t know:
- UNC5325 is a suspected Chinese cyber espionage operator
- Mandiant does not have any evidence to show that UNC5325 is linked to Volt Typhoon
- Exploitation of Ivanti zero-days has likely impacted thousands of organizations across a variety of industry verticals, including the U.S. defense industrial base sector
- Previous patches were effective, but only if it was applied before UNC5325 infiltrated an organization
- Some of the malware deployed by UNC5325 contains code overlap with malware used by UNC3886, which is a PRC cyber espionage group that Mandiant previously identified leveraging novel techniques to impact VMware ESXi hosts
- Mandiant suspects with medium confidence that UNC5325 is UNC3886
- Despite UNC3886 having similar TTPs as UNC5221, which Mandiant initially identified exploiting the Ivanti zero-days, Mandiant does not currently have sufficient data to determine if these two are indeed the same actor
- As a result, UNC5325 and UNC5221 are currently tracked as two separate threat actors