Ivanti Connect Secure Vulnerabilities Targeted By UNC5325
UNC5325 a suspected threat actor with ties to China has been observed exploiting vulnerabilities in Ivanti Connect Secure appliances. They employ living-off-the-land (LotL) techniques for stealth and backdoors for persistence across system changes. UNC5325 targeted Ivanti Connect Secure appliances with CVE-2024-21893 as early as Jan. 19 2024 exploiting a server-side request forgery (SSRF) flaw in the SAML component. Subsequently they combined this with command injection vulnerabilities from CVE-2024-21887. Some instances involved using public services like Interactsh to confirm the vulnerability. Upon identifying vulnerable targets UNC5325 executed follow-up commands for reconnaissance and occasionally establishing a reverse shell.