A recent cyber campaign has brought to light a sophisticated new tactic employed by initial access brokers, believed to be linked to China. These threat actors are leveraging zero-day vulnerabilities in Ivanti Connect Secure systems to infiltrate target networks. Uniquely, after gaining access, the attackers are applying their own patches to the exploited vulnerabilities, effectively locking out both defenders and rival cybercriminals.
The Self-Patching Tactic
Traditionally, initial access brokers focus on breaching networks and selling access to other cybercriminals or nation-state actors. However, this latest campaign demonstrates an evolution in their methods. By self-patching the zero-day vulnerabilities post-compromise, the attackers ensure they maintain exclusive control over the compromised environment. This “turf control” strategy prevents others from exploiting the same vulnerabilities, thereby reducing the risk of detection and increasing the value of their illicit access.
How the Attack Unfolds
- Exploitation: The attackers identify and exploit previously unknown (zero-day) vulnerabilities in Ivanti Connect Secure systems.
- Compromise: Once inside, they establish persistence and secure their foothold.
- Self-Patching: The attackers then apply their own fixes to the exploited vulnerabilities, closing off the entry points they used.
- Monetization: With exclusive access, they can sell or use the compromised network with a lower risk of interference from other threat actors or incident responders.
Implications for Defenders
This tactic presents significant challenges for cybersecurity teams. By patching the exploited vulnerabilities, the attackers not only prevent others from entering but also make it harder for defenders to detect the initial compromise. The usual indicators of compromise associated with unpatched vulnerabilities are absent, potentially delaying incident response.
