~/f4n6 $ grep -r "Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts" ./investigations/ --include="*.md"

Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts

Jeff Davies 08 Jun 2026 5 min read

Issuer: Adverse Trace Date issued: 2026-06-08 Version: 1.0

1. Executive summary

Threat actor UNC5325 (suspected China-nexus) is actively exploiting CVE-2024-21893 (SSRF) and CVE-2024-21887 (Command Injection) on unpatched Ivanti Connect Secure appliances to deploy custom malware (LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, PITHOOK) and attempt persistence. While observed persistence mechanisms have largely failed due to code logic errors regarding encryption keys, the actor continues to refine tactics to survive system upgrades and factory resets. For EMEA financial services, the immediate risk involves unauthorized access to network perimeters, potential lateral movement into internal zones, and data exfiltration via living-off-the-land techniques. Immediate validation of patch status and integrity checks are required regardless of prior mitigation application.

2. Regulatory framing

Regulation Article / Requirement Practical Impact for Financial Entities
DORA Art. 17 (Management of ICT third-party risk) Entities must verify Ivanti (as a critical third-party provider) has applied patches and that the Integrity Checking Tool (ICT) has been executed to rule out supply chain compromise.
DORA Art. 19 (Reporting of major incidents) Successful exploitation resulting in data breach or service degradation constitutes a "major incident" requiring notification to competent authorities within 24 hours.
DORA Art. 28-30 (Digital Operational Resilience Testing) Findings from this advisory should trigger immediate threat-led penetration testing (TLPT) or targeted vulnerability scans on perimeter appliances to validate control effectiveness.
NIS2 Art. 21(2)(d) (Risk analysis & supply chain) Obligates entities to assess the security of network management systems and ensure supply chain risks (Ivanti vulnerabilities) are mitigated through patching and configuration hardening.
NIS2 Art. 23 (Reporting obligations) Mandates early warning and incident reporting to CSIRTs if the exploitation impacts essential services or causes significant operational disruption.

3. Attack chain

  1. Reconnaissance/Validation: Attacker sends a specific HTTP GET request to /api/v1/license/keys-status/ containing a Python command to resolve a unique domain via socket.gethostbyname, confirming vulnerability to CVE-2024-21893.
  2. Exploitation: Attacker chains CVE-2024-21893 (SSRF) with CVE-2024-21887 (Command Injection) to execute arbitrary commands on the appliance.
  3. Initial Access: A reverse TCP shell is established using Python (/bin/sh -i) connecting back to an attacker-controlled IP and port.
  4. Post-Exploitation: Actor deploys custom malware families (LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, PITHOOK) and utilizes living-off-the-land (LotL) techniques to evade detection.
  5. Persistence Attempt: Actor attempts to install malware designed to persist across factory resets, system upgrades, and patches. (Note: Source material indicates these specific persistence attempts have largely failed due to encryption key mismatches in the malware code).

Unconfirmed Steps: * While mass automated exploitation is confirmed, the full scope of lateral movement from the Ivanti appliance into the internal financial network is not detailed in the primary source, though Mandiant notes post-exploitation lateral movement case studies exist in related reporting. * Attribution to UNC5325 is assessed with "moderate confidence" by Mandiant based on TTP overlaps with UNC3886; definitive attribution remains unconfirmed.

4. Mitigation & containment

P1: Immediate (Within 24h) * Patch: Apply Ivanti patches addressing CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, and CVE-2024-22024 for all supported versions. Patches have been available since April 3, 2024. * Integrity Check: Download and execute the latest version of the Ivanti External Integrity Checking Tool (ICT) immediately. This tool is specifically updated to detect the persistence attempts described in this advisory. * Log Review: Query logs for Event ID AUT31556 (unauthenticated request to /dana-ws/saml.ws) and ERR31903 (saml-server process crash). * Network Block: Block outbound connections from Ivanti appliances to non-business-critical destinations, specifically monitoring for Python-based reverse shells.

P2: Short-term (Within 72h) * Forensic Analysis: Analyze both allocated and unallocated disk space on forensic images of affected appliances for artifacts of LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. * Configuration Hardening: Implement Ivanti's updated remediation and hardening guide recommendations. Ensure XML mitigations released on Jan 10 and Jan 31 are active. * Credential Rotation: Rotate all administrative credentials for the Ivanti appliance and any accounts accessible from the appliance subnet, assuming potential compromise.

P3: Medium-term (Within 7 days) * Architecture Review: Evaluate the necessity of direct internet exposure for Ivanti Connect Secure appliances. Consider placing behind additional WAF rules or moving to a zero-trust access model (Ivanti Neurons for ZTA) if not already deployed. * Threat Hunting: Deploy detection rules (Section 6) across EDR and NDR platforms to hunt for historical indicators of compromise.

5. Indicators of compromise

Type Value Confidence Source
Event ID AUT31556 High Primary Item
Event ID ERR31903 High Primary Item
URL Path /dana-ws/saml.ws High Primary Item
URL Path /api/v1/license/keys-status/ High Primary Item
Malware Family LITTLELAMB.WOOLTEA High Primary Item
Malware Family PITSTOP High Primary Item
Malware Family PITDOG High Primary Item
Malware Family PITJET High Primary Item
Malware Family PITHOOK High Primary Item
CVE CVE-2024-21893 High Primary Item
CVE CVE-2024-21887 High Primary Item 
event_id  AUT31556
event_id  ERR31903
url_path  /dana-ws/saml.ws
url_path  /api/v1/license/keys-status/
malware_family  LITTLELAMB.WOOLTEA
malware_family  PITSTOP
malware_family  PITDOG
malware_family  PITJET
malware_family  PITHOOK
cve  CVE-2024-21893
cve  CVE-2024-21887

6. Detection

YARA Rule The following rule detects the distinctive malware family names and URL paths associated with the exploitation chain described in the sources.

rule Ivanti_UNC5325_Exploitation_Attempts {
    meta:
        author = "Adverse Trace"
        date = "2026-06-08"
        reference = "https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence/"
        description = "Detects strings associated with UNC5325 malware families and Ivanti exploitation paths"

    strings:
        $path_saml = "/dana-ws/saml.ws" ascii
        $path_api = "/api/v1/license/keys-status/" ascii
        $malware_1 = "LITTLELAMB.WOOLTEA" ascii
        $malware_2 = "PITSTOP" ascii
        $malware_3 = "PITDOG" ascii
        $malware_4 = "PITJET" ascii
        $malware_5 = "PITHOOK" ascii
        $event_log_1 = "AUT31556" ascii
        $event_log_2 = "ERR31903" ascii

    condition:
        any of them
}

Sigma Rule Detects the specific log events and command patterns identified in the source material.

title: Ivanti Connect Secure SSRF and Command Injection Attempt
id: 8a7b6c5d-4e3f-2a1b-9c8d-7e6f5a4b3c2d
status: stable
level: critical
description: Detects exploitation attempts of CVE-2024-21893 and CVE-2024-21887 on Ivanti appliances via specific log events and Python reverse shell commands.
author: Adverse Trace
date: 2026/06/08
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence/
logsource:
    product: ivanti_connect_secure
    service: application
detection:
    selection_saml_crash:
        EventID: 'ERR31903'
        Message: '*saml-server recently failed*'
    selection_unauth_request:
        EventID: 'AUT31556'
        Message: '*Unauthenticated request url /dana-ws/saml.ws*'
    selection_python_reverse:
        CommandLine|contains:
            - 'python -c'
            - 'socket.gethostbyname'
            - 'subprocess.call'
            - '/bin/sh'
    condition: selection_saml_crash or selection_unauth_request or selection_python_reverse
tags:
    - attack.initial_access
    - attack.execution
    - cve.2024-21893
    - cve.2024-21887

7. Sources

  • Mandiant (Google Cloud), "Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts", https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence/, 2024-02-27.
  • Mandiant (Google Cloud), "Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies", https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement/, 2024-04-03.

8. Adverse Trace position

We assess the severity as Critical for any EMEA financial entity operating unpatched Ivanti Connect Secure, Policy Secure, or Neurons for ZTA appliances. Although the specific persistence mechanism (LITTLELAMB.WOOLTEA) observed by Mandiant contained logic flaws preventing successful retention across resets, the initial compromise vector (CVE-2024-21893 chained with CVE-2024-21887) remains highly effective against unpatched systems. The involvement of a suspected China-nexus actor (UNC5325) targeting defense and technology sectors suggests financial services may be secondary targets for espionage or pre-positioning. We recommend immediate execution of the Ivanti Integrity Checking Tool and forensic validation of all perimeter appliances, as automated exploitation has been widespread since January 2024.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies