Chinese cyberspies deploy new malware in Ivanti VPN attacks

Chinese cyberespionage actors exploited Ivanti VPN vulnerabilities, deployed new malware for persistence, and showcased advanced techniques, highlighting the need for vigilance and timely patching.

A recent report by cybersecurity firm Mandiant has shed light on a campaign by suspected Chinese cyberespionage actors targeting Ivanti Connect Secure VPN appliances. These actors have been exploiting vulnerabilities in the software to gain unauthorized access to victim networks and deploy new malware designed to maintain their presence even after system updates or resets.

The vulnerabilities in question were first disclosed in December 2023 and were patched by Ivanti in January 2024. However, attackers continued to exploit one of the vulnerabilities (CVE-2024-21893) by deploying a new set of malware tools. This malware, is identified as LittleLamb.WoolTea, PitStop, Pitdog, PitJet, and PitHook, allow the attackers to establish persistence on compromised systems, making it more challenging to remove them completely.


Mandiant attributes this campaign to a group known as UNC5325, which they believe is linked to another Chinese cyberespionage group, UNC3886. UNC3886 has a history of targeting vulnerable VMware products to gain access to victim networks. Both groups are suspected of primarily targeting organizations in the defense, technology, and telecommunication sectors located in the United States and Asia-Pacific regions.

The attackers demonstrated a sophisticated understanding of the Ivanti VPN appliances, employing various techniques to maintain access after gaining initial entry. This included chaining vulnerabilities, deploying web shells like BushWalk, and even modifying open-source tools and built-in Ivanti utilities to evade detection. In some instances, they attempted to exploit the SparkGateway component, a legitimate remote access plugin, by deploying malicious plugins like PitFuel and PitDog. These plugins aimed to inject backdoors and persist across system updates, patches, and even factory resets. However, these attempts were ultimately unsuccessful due to differences in encryption keys between the factory reset kernel and the running kernel version.

Mandiant’s findings highlight the evolving capabilities of suspected Chinese cyberespionage actors and their continued efforts to exploit vulnerabilities in critical infrastructure. The use of novel malware and persistence techniques underscores the importance of timely patching vulnerabilities, implementing robust security controls, and maintaining vigilance against evolving cyber threats.