The bad news for the US manufacturer Ivanti continues. Security holes in its “Connect Secure” and “Policy Secure” products that became known in January allow attackers to nest deep in acquired systems. The US cybersecurity agency CISA is now warning that even Ivanti's own tools cannot reliably detect the backdoors.
Advertisement
As the agency discovered in cooperation with other national security institutions, the “Integrity Checker Tool” provided by Ivanti, i.e. the tool for checking the integrity of potentially compromised installations, failed to achieve its goal in previous versions due to clever backdoor evasion maneuvers. The CISA experts therefore assume that the attackers can save their backdoors not only through reboots and updates, but even a factory reset.
A study by Google subsidiary Mandiant comes to a similar conclusion. They took a closer look at various backdoor components with the illustrious names “Littlelamb.wooltea”, “Bushwalk” and “Pithook” and discovered a whole series of tricky camouflage measures. The Bushwalk backdoor can be switched on and off using fake HTTP user agents (“App1eWebKit” and “AppIeWebKit” with a capital “i”), hides from the integrity checker in a directory excluded by the integrity checker and uses the operating system's own tools to encrypt and decrypt yourself. “Bushwalk” can also play dead to avoid detection.
Little lamb nests comfortably
The “Littlelamb.wooltea” malware, on the other hand, survives reboots and system updates by attaching itself to a local update of the system data that the appliance imports as part of the update procedure to retrieve configuration and runtime data. The authors of the malware even thought about factory resets, i.e. resetting an Ivanti appliance to factory settings. However, fortunately for affected admins, your method only works on certain devices.
Mandiant analysts conclude that the attackers have detailed knowledge of the Ivanti firmware and locate them in China. They suspect that the group with the identifier UNC5325 is collaborating with other Chinese espionage groups and is particularly targeting the defense industry and the technology and telecommunications sectors.
While Mandiant offers an updated version of its guide to repairing Connect Secure appliances, the manufacturer has at least updated its detection tool. CISA, on the other hand, advises its protégés to take a holistic approach: devices should still be viewed as compromised and VPN access and keys should be set up again if necessary.
This is not the first time the cyber security agency has warned about Ivanti vulnerabilities. Almost a month ago, the federal agency ordered all institutions under its authority to take Ivanti appliances offline.
(cku)