{"description": "Enterprise techniques used by Cutting Edge, ATT&CK campaign C0029 (v1.0)", "name": "Cutting Edge (C0029)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1595", "showSubtechniques": true}, {"techniqueID": "T1595.002", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used the publicly available Interactsh tool to identify Ivanti Connect Secure VPNs vulnerable to CVE-2024-21893.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used DNS to tunnel IPv4 C2 traffic.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors saved collected data to a tar archive.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used Perl scripts to enable the deployment of the THINSPOOL shell script dropper and for enumerating host data.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used a Python reverse shell and the PySoxy SOCKS5 proxy tool.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors trojanized legitimate files in Ivanti Connect Secure appliances with malicious code.(Citation: Mandiant Cutting Edge January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.008", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used compromised and out-of-support Cyberoam VPN appliances for C2.(Citation: Mandiant Cutting Edge January 2024)(Citation: Volexity Ivanti Global Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors stole the running configuration and cache data from targeted Ivanti Connect Secure VPNs.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN appliances to enable authentication bypass and command injection. A server-side request forgery (SSRF) vulnerability, CVE-2024-21893, was identified later and used to bypass mitigations for the initial two vulnerabilities by chaining with CVE-2024-21887.(Citation: Mandiant Cutting Edge January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)(Citation: Volexity Ivanti Global Exploitation January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors disabled logging and modified the `compcheckresult.cgi` component to edit the Ivanti Connect Secure built-in Integrity Checker exclusion list to evade detection.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors cleared logs to remove traces of their activity and restored compromised systems to a clean state to bypass manufacturer mitigations for CVE-2023-46805 and CVE-2024-21887.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors deleted `/tmp/test1.txt` on compromised Ivanti Connect Secure VPNs which was used to hold stolen configuration and cache files.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors changed timestamps of multiple files on compromised Ivanti Secure Connect VPNs to conceal malicious activity.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors leveraged exploits to download remote files to Ivanti Connect Secure VPNs.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors modified a JavaScript file on the Web SSL VPN component of Ivanti Connect Secure devices to keylog credentials.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056.003", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors modified the JavaScript loaded by the Ivanti Connect Secure login page to capture credentials entered.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1095", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used the Unix socket and a reverse TCP shell for C2 communications.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used a Base64-encoded Python script to write a patched version of the Ivanti Connect Secure `dsls` binary.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors leveraged tools including Interactsh to identify vulnerable targets, PySoxy to simultaneously dispatch traffic between multiple endpoints, BusyBox to enable post exploitation activities, and Kubo Injector to inject shared objects into process memory.(Citation: Mandiant Cutting Edge January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used Task Manager to dump LSASS memory from Windows devices to disk.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors accessed and mounted virtual hard disk backups to extract \nntds.dit.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used malicious SparkGateway plugins to inject shared objects into web process memory on compromised Ivanti Secure Connect VPNs to enable deployment of backdoors.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used Iodine to tunnel IPv4 traffic over DNS.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used RDP with compromised credentials for lateral movement.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors moved laterally using compromised credentials to connect to internal Windows systems with SMB.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used SSH for lateral movement.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1594", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors peformed reconnaissance of victims' internal websites via proxied connections.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used multiple web shells to maintain presence on compromised Connect Secure appliances such as [WIREFIRE](https://attack.mitre.org/software/S1115), [GLASSTOKEN](https://attack.mitre.org/software/S1117), [BUSHWALK](https://attack.mitre.org/software/S1118), [LIGHTWIRE](https://attack.mitre.org/software/S1119), and [FRAMESTING](https://attack.mitre.org/software/S1120).(Citation: Mandiant Cutting Edge January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used the ENUM4LINUX Perl script for discovery on Windows and Samba hosts.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the `/tmp/clientsDownload.sock` socket.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "During [Cutting Edge](https://attack.mitre.org/campaigns/C0029), threat actors used compromised VPN accounts for lateral movement on targeted networks.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Cutting Edge", "color": "#66b1ff"}]}