Python based WIREFIRE web shell Attacking Ivanti Connect Secure (ICS) VPN appliances

by Esmeralda McKenzie
Python based WIREFIRE web shell Attacking Ivanti Connect Secure (ICS) VPN appliances

Python based WIREFIRE web shell Attacking Ivanti Connect Secure (ICS) VPN appliances

Python based WIREFIRE web shell Attacking Ivanti Connect Stable (ICS) VPN appliances

No longer too prolonged ago, QuoIntelligence’s study personnel unearthed a previously undetected variant of the notorious WIREFIRE web shell, a Python-based implant focusing on compromised Ivanti Connect Stable (ICS) VPN appliances.

This discovery unveils a cunning tactic employed by threat actors to evade detection and lengthen their malicious attain.

EHA

The memoir unfolds in December 2023, when security researchers identified a worldwide attack marketing campaign exploiting zero-day vulnerabilities in Ivanti Connect Stable VPN appliances.

This marketing campaign, attributed to the UNC5221 threat actor personnel, eager the deployment of web shells on both internal and exterior-going by intention of web purposes, granting the attackers unauthorized entry and support watch over.

Document

Free Trial

Streaming Malware Service

Originate Suspicious Recordsdata & Hyperlinks in the ANY RUN Sandbox Safely; Are attempting All Parts for Free. Understand malware conduct, win IOCs, and easily blueprint malicious actions to TTPs — all in our interactive sandbox.

The Acquainted Foe with a Unique Disguise: The WIREFIRE Variant

While investigating this incident, QuoIntelligence researchers stumbled upon a valuable half of the puzzle: a previously unreported variant of the WIREFIRE web shell.

Not like its identified counterpart residing in the “/api/resources/visits.py” file, this variant resided in the “/api/resources/category.py” file, showcasing a strategic shift in assign of residing to avoid fresh detection mechanisms.

Under the Hood: Dissecting the Variant’s Capabilities

This variant, even supposing subtly diverse, retained the core functionality of its predecessor.

It intercepted POST requests containing encrypted information payloads, decrypted them, and accomplished them straight in memory, leaving no incriminating traces on the file arrangement.

Alternatively, it supplied two great changes:

  1. Cookie-Based mostly entirely Payload Transport: The variant adopted a cookie-based formulation to transmit encrypted payloads, animated away from the GIF file formulation dilapidated in the accepted version.
  2. Persistent Execution By exec(): A unusual code addition leveraging the “exec()” characteristic enabled the execution of malicious code all over successive POST requests, potentially facilitating information persistence.

The invention of this variant uncovered a valuable limitation in fresh detection methods.

The YARA rule supplied by Mandiant, designed to call the WIREFIRE web shell, was rendered ineffective attributable to the variant’s diverse assign of residing.

This highlights the threat actors’ cunning blueprint of deploying modified versions in diverse locations to evade detection per particular file paths.

David Miller, Security Imply: “This incident underscores the significance of patching vulnerabilities promptly.

The exploited zero-day vulnerabilities were patched in February 2024, nevertheless attackers are composed exploiting unpatched methods. Organizations must prioritize vulnerability management.”

Responding to the Chance: A Unique YARA Rule Emerges

To address this gap in detection, QuoIntelligence researchers promptly developed a non everlasting YARA rule with broader scope.

This rule specializes in commonalities all over diverse web shell locations interior the “/api/resources/” directory, effectively figuring out both the accepted and the variant.

The emergence of this WIREFIRE variant underscores the dynamic nature of cyber threats and the significance of fixed vigilance.

Organizations utilizing Ivanti Connect Stable VPN appliances are educated to:

  • Put in drive the fresh YARA rule to pork up detection capabilities.
  • Recurrently change methods and patch vulnerabilities.
  • Make use of sturdy security solutions and threat intelligence feeds.
  • Preserve heightened awareness of evolving cyber threats.

Source credit : cybersecuritynews.com

Related Posts