Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
During Cutting Edge, threat actors used the publicly available Interactsh tool to identify Ivanti Connect Secure VPNs vulnerable to CVE-2024-21893.[5] |
| Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
During Cutting Edge, threat actors used DNS to tunnel IPv4 C2 traffic.[4] |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
During Cutting Edge, threat actors saved collected data to a tar archive.[4] |
| Enterprise | T1059 | Command and Scripting Interpreter |
During Cutting Edge, threat actors used Perl scripts to enable the deployment of the THINSPOOL shell script dropper and for enumerating host data.[4][1] |
|
| .006 | Python |
During Cutting Edge, threat actors used a Python reverse shell and the PySoxy SOCKS5 proxy tool.[2][5] |
||
| Enterprise | T1554 | Compromise Host Software Binary |
During Cutting Edge, threat actors trojanized legitimate files in Ivanti Connect Secure appliances with malicious code.[1][2][4] |
|
| Enterprise | T1584 | .008 | Compromise Infrastructure: Network Devices |
During Cutting Edge, threat actors used compromised and out-of-support Cyberoam VPN appliances for C2.[1][3] |
| Enterprise | T1005 | Data from Local System |
During Cutting Edge, threat actors stole the running configuration and cache data from targeted Ivanti Connect Secure VPNs.[2][4] |
|
| Enterprise | T1190 | Exploit Public-Facing Application |
During Cutting Edge, threat actors exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN appliances to enable authentication bypass and command injection. A server-side request forgery (SSRF) vulnerability, CVE-2024-21893, was identified later and used to bypass mitigations for the initial two vulnerabilities by chaining with CVE-2024-21887.[1][2][3][4][5] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
During Cutting Edge, threat actors disabled logging and modified the |
| Enterprise | T1070 | Indicator Removal |
During Cutting Edge, threat actors cleared logs to remove traces of their activity and restored compromised systems to a clean state to bypass manufacturer mitigations for CVE-2023-46805 and CVE-2024-21887.[4][2] |
|
| .004 | File Deletion |
During Cutting Edge, threat actors deleted |
||
| .006 | Timestomp |
During Cutting Edge, threat actors changed timestamps of multiple files on compromised Ivanti Secure Connect VPNs to conceal malicious activity.[4][5] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
During Cutting Edge, threat actors leveraged exploits to download remote files to Ivanti Connect Secure VPNs.[2] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
During Cutting Edge, threat actors modified a JavaScript file on the Web SSL VPN component of Ivanti Connect Secure devices to keylog credentials.[2] |
| .003 | Input Capture: Web Portal Capture |
During Cutting Edge, threat actors modified the JavaScript loaded by the Ivanti Connect Secure login page to capture credentials entered.[2] |
||
| Enterprise | T1095 | Non-Application Layer Protocol |
During Cutting Edge, threat actors used the Unix socket and a reverse TCP shell for C2 communications.[5] |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
During Cutting Edge, threat actors used a Base64-encoded Python script to write a patched version of the Ivanti Connect Secure |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
During Cutting Edge, threat actors leveraged tools including Interactsh to identify vulnerable targets, PySoxy to simultaneously dispatch traffic between multiple endpoints, BusyBox to enable post exploitation activities, and Kubo Injector to inject shared objects into process memory.[1][5] |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
During Cutting Edge, threat actors used Task Manager to dump LSASS memory from Windows devices to disk.[2] |
| .003 | OS Credential Dumping: NTDS |
During Cutting Edge, threat actors accessed and mounted virtual hard disk backups to extract ntds.dit.[2] |
||
| Enterprise | T1055 | Process Injection |
During Cutting Edge, threat actors used malicious SparkGateway plugins to inject shared objects into web process memory on compromised Ivanti Secure Connect VPNs to enable deployment of backdoors.[5] |
|
| Enterprise | T1572 | Protocol Tunneling |
During Cutting Edge, threat actors used Iodine to tunnel IPv4 traffic over DNS.[4] |
|
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
During Cutting Edge, threat actors used RDP with compromised credentials for lateral movement.[2] |
| .002 | Remote Services: SMB/Windows Admin Shares |
During Cutting Edge, threat actors moved laterally using compromised credentials to connect to internal Windows systems with SMB.[2] |
||
| .004 | Remote Services: SSH |
During Cutting Edge, threat actors used SSH for lateral movement.[2] |
||
| Enterprise | T1594 | Search Victim-Owned Websites |
During Cutting Edge, threat actors peformed reconnaissance of victims' internal websites via proxied connections.[2] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
During Cutting Edge, threat actors used multiple web shells to maintain presence on compromised Connect Secure appliances such as WIREFIRE, GLASSTOKEN, BUSHWALK, LIGHTWIRE, and FRAMESTING.[1][2] |
| Enterprise | T1082 | System Information Discovery |
During Cutting Edge, threat actors used the ENUM4LINUX Perl script for discovery on Windows and Samba hosts.[4] |
|
| Enterprise | T1205 | Traffic Signaling |
During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the |
|
| Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
During Cutting Edge, threat actors used compromised VPN accounts for lateral movement on targeted networks.[2] |
Software
| ID | Name | Description |
|---|---|---|
| S1118 | BUSHWALK | |
| S0488 | CrackMapExec | |
| S1120 | FRAMESTING | |
| S1117 | GLASSTOKEN | |
| S0357 | Impacket | |
| S1119 | LIGHTWIRE | |
| S1121 | LITTLELAMB.WOOLTEA | |
| S1123 | PITSTOP | |
| S1116 | WARPWIRE | |
| S1115 | WIREFIRE | |
| S1114 | ZIPLINE |
References
- McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
- Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
- Gurkok, C. et al. (2024, January 15). Ivanti Connect Secure VPN Exploitation Goes Global. Retrieved February 27, 2024.
- Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
- Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.