Chinese threat actors continue exploiting Ivanti VPN flaws using new malware

Cybersecurity firm Mandiant warned that Chinese threat actors are using new malware to continue exploiting recent vulnerabilities in Ivanti Connect Secure VPN appliances, reports SecurityWeek.

Ivanti addressed the flaws on Jan. 31 and patched a fifth vulnerability in its enterprise VPN and network access products roughly a week later. After the patch rollout, attackers continued exploiting one of the vulnerabilities tracked as CVE-2024-21893, which is described as a server-side request forgery vulnerability in Ivanti’s enterprise VPN and network access appliances' SAML component. Mandiant notes that CVE-2024-21893 is being exploited by a threat actor from China tracked as UNC5325 to deploy new malware families such as PitJet, Pitdog, PitStop, PitHook, and LittleLamb.WoolTea. UNC5325 seems to be linked to Chinese cyberespionage group UNC3886, which was previously observed exploiting vulnerable VMware products and "has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the US and APJ regions." "UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets.” Mandiant notes.