WARPWIRE
WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[1][2]
ID: S1116
ⓘ
Type: MALWARE
ⓘ
Platforms: Network
Version: 1.0
Created: 05 March 2024
Last Modified: 29 March 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
WARPWIRE is a credential harvester written in JavaScript.[1] |
| Enterprise | T1554 | Compromise Host Software Binary |
WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs.[1] |
|
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
WARPWIRE can Base64 encode captured credentials with |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
WARPWIRE can send captured credentials to C2 via HTTP |
| Enterprise | T1056 | .003 | Input Capture: Web Portal Capture |
WARPWIRE can capture credentials submitted during the web logon process in order to access layer seven applications such as RDP.[1] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0029 | Cutting Edge |
References
- McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
- Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.