Recent forensic investigations by Synacktiv’s CSIRT have shed light on the common open-source tools leveraged by threat actors in incidents stemming from compromised Ivanti Cloud Services Appliance (CSA) devices. While initial access often exploited zero-day vulnerabilities in Ivanti CSA (CVE-2024-8963, CVE-2024-8190, CVE-2024-9380, CVE-2024-9379), subsequent attack stages frequently utilized publicly available, and sometimes “noisy,” tools for lateral movement, persistence, and credential dumping. This highlights a blend of sophisticated initial access and more readily available post-exploitation techniques.
Ivanti CSA, a server software designed for remote device management, is often internet-facing, making it a prime target. In September and October 2024, Ivanti released advisories about security policy bypass and remote code execution vulnerabilities. However, FortiGuard Labs Threat Research revealed that some threat actors had been chaining these vulnerabilities as early as September 9, 2024, before public disclosure or patches. The attacks, attributed to Chinese threat groups like Houken (with overlaps to UNC5174), targeted various sectors, including government, telecommunications, media, finance, and transport.
One notable tool found after initial CSA compromise was suo5, an HTTP proxy tunnel. Available on GitHub since February 2023, suo5 is touted as a more performant alternative to tools like reGeorg and Neo-reGeorg. Interestingly, the GLASSTOKEN webshell, associated with Ivanti Connect Secure VPN zero-day exploits in January 2024, was based on Neo-reGeorg, demonstrating a recurring pattern of using such tunneling tools. suo5 facilitates covert communication by encapsulating TCP packets within a single HTTP connection, reducing overhead. It supports .NET, Java, or PHP server-side code and can operate in “half-duplex” mode to bypass Nginx reverse proxy buffering. Detecting suo5 involves looking for specific functionalities rather than easily changeable names, and its default scripts often contain suspicious base64 encoding/decoding and AES encryption/decryption routines.
Beyond tunneling, attackers employed other open-source tools. Publicly available webshells such as Behinder were deployed, and existing PHP scripts were modified to inject webshell capabilities. Persistence was also achieved through custom malware variants like GOREVERSE, a shell utility, and GOHEAVY, a Golang tunneling tool. A Linux kernel module named sysinitd.ko served as a rootkit, maintaining root access by hijacking inbound TCP traffic and invoking shells for remote command execution.
For credential gathering, threat actors leveraged well-known tools like Responder, which spoofs network services to remotely grab Windows credentials. They also used searchall, a local credential gathering tool implemented in Golang by Chinese-speaking developers. In some instances, an unrecoverable executable (e.g., php<6 random chars>) was used to decrypt credentials before exfiltration.
A curious tactic observed was the attackers’ attempt to patch the Ivanti vulnerabilities after gaining access. This suggests a desire to secure their foothold and prevent other threat groups from exploiting the same entry points, indicating a competitive cybercriminal ecosystem.
This campaign underscores the critical need for rapid patching, enhanced visibility into lateral movements, and robust behavioral detection techniques. Organizations should not solely rely on traditional security tools but integrate real-time threat intelligence, advanced rootkit detection, and comprehensive network traffic analysis to defend against such sophisticated and adaptable adversaries. It also highlights the importance of scrutinizing publicly available tools, as they are actively integrated into advanced attack chains.