ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > UNC5221, UTA0178

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: UNC5221, UTA0178

NamesUNC5221 (Mandiant)
UTA0178 (Volexity)
Country[Unknown]
MotivationInformation theft and espionage
First seen2023
Description(Mandiant) Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed.

On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor, currently being tracked as UNC5221.
ObservedCountries: Worlwide.
Tools usedGIFTEDVISITOR, GLASSTOKEN, LIGHTWIRE, PySoxy, THINSPOOL, WARPWIRE, WIREFIRE, ZIPLINE.
Information<https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day>
<https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/>
<https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/>

Last change to this card: 17 January 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]