 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
APT group: UNC5221, UTA0178| Names | UNC5221 (Mandiant) UTA0178 (Volexity) | |
| Country | [Unknown] | |
| Motivation | Information theft and espionage | |
| First seen | 2023 | |
| Description | (Mandiant) Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed. On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor, currently being tracked as UNC5221. | |
| Observed | Countries: Worlwide. | |
| Tools used | GIFTEDVISITOR, GLASSTOKEN, LIGHTWIRE, PySoxy, THINSPOOL, WARPWIRE, WIREFIRE, ZIPLINE. | |
| Information | <https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day> <https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/> <https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/> | |
Last change to this card: 17 January 2024
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |