China-linked hacker groups/individuals UNC5325 and UNC3886 exploited vulnerabilities in Ivanti VPN, a US-based software company, to deploy new malware. The groups exploited a server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure starting in January 2024. UNC3886 has a history of using zero-days in Fortinet and VMware to deploy malware in the past. They seem like experienced groups, as the malware uses living-off-the-land techniques to persist through factory resets and upgrades; it also functions as a backdoor, allowing them to execute commands, manage files, and create shells. In addition, another China-linked group, Volt Typhoon, has been recently linked to previous Ivanti VPN exploits in December 2023.
