Threat Context Monthly: Executive intelligence briefing for May 2024

Threat actor of the month: UAT4356 – State-sponsored adversary

UAT4356 is a state-sponsored threat actor that targets perimeter network devices in government networks globally with a clear focus on espionage. Their first activity can be traced back to November 2023, although researchers found evidence that the group was testing its capabilities as early as July 2023.

So far, the initial attack vector used by the group has not been able to be determined. In a campaign named ArcaneDoor, they do were observed exploiting two 0-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) (CVE-2024-20353 and CVE-2024-20359) to implant custom malware and be able to execute commands and exfiltrate information. 

The campaign proves the group had a thorough understanding of the targeted devices and of forensic actions commonly performed by Cisco for network device integrity validation. The adversary employed two custom backdoors named Line Runner and Line Dancer, to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.

Spotlight threat: Threat actors exploit Ivanti Connect vulnerabilities

 In the last days, Mandiant published the fourth blog in a series of publications related to the study of the exploitation of Ivanti Connect Secure vulnerabilities, unveiling new clusters of activity. Since the first announcement of the two first vulnerabilities (tracked as CVE-2023-46805 and CVE-2024-21887) in January 2024, more flaws were uncovered, some highly used by cybercriminals. In the latest Mandiant blog, they specify that they have observed eight clusters of activity, some of them already reported, highlighting that five are related to China-nexus activity. Also, they mentioned that not just nation-state threat actors but financially motivated groups are using these flaws, as also Unit42 and Check Point pointed out.

To date, the following data has been published about the threat actors that are exploiting Ivanti Connect flaws:

Ivanti CVEThreat Actor
CVE-2024-21887UTA0178” / Nation-state (China)
Volt Typhoon” / Nation-state (China)
UNC5325” / Espionage group (China)
UNC5330” / Espionage group (China)
UNC3569” / Espionage group (China)
Magnet Goblin” / e-crime
CVE-2023-46805 UTA0178
Volt Typhoon
Magnet Goblin 
CVE-2024-21893Volt Typhoon
Magnet Goblin 
CVE-2024-21888 Magnet Goblin 

Based on the Mandiant series of Ivanti Connect blogs, the following overlaps and threat actors’ names should not be mistaken:

  • UNC3569 overlaps with UNC5266.
  • UTA0178 is also known as UNC5221.
  • Volt Typhoon is also known as UNC5291.

KrakenLabs highlights observed

Emerging threat

USB-born malware attacks: Researchers have observed that USB-born malware attacks against industrial organizations are reportedly escalating in complexity and persistence, including tactics for evading detection and the use of USB devices to bridge air-gapped security measures. Learn more →

Adoption of sophisticated steganography: Threat actors are slowly becoming more sophisticated in using steganography to hide their artefacts, which so far includes putting a piece of malware inside a picture.  The threat actor known as TA558 has been using this technique for a while, launching a new massive campaign against public organizations and companies worldwide to spread, among others, AgentTesla, FormBook, Remcos, Formbook,  and Guloader. Learn more →


BIG-IP Next Central Manager vulnerabilities:  F5 has fixed two high-severity BIG-IP Next Central Manager (CVE-2024-26026/21793) vulnerabilities, which can be exploited to gain admin full administrative control of the device. A Proof-of-Concept has already been shared. Learn more →

New zero-day CVE-2024-27322: A high-severity vulnerability in the R programming language’s deserialization process, identified as CVE-2024-27322, could expose users to supply chain attacksallowing execution of arbitrary code via crafted RDS files. Learn more →

CrushFTP zero-day vulnerability: Crowdstrike warned of a critical zero-day vulnerability in CrushFTP software (CVE-2024-4040) exploited in targeted attacks, allowing unauthorized system file downloads. A Proof-of-Concept has already been shared. Learn more →

Malware & Ransomware

BlackCat exodus: After the shutdown of BlackCat operations, some affiliates moved along with RansomHub, a new group. This event caused the user notchy to extort Change Healthcare company again after they had already paid the ransom demand to BlackCat, being extorted by both groups in different periods. Learn more → / and more →

Ransomware’s reputation downturn: RaaS developers have undermined their credibility by cheating affiliates, notably with the LockBit group‘s public payment dispute and BlackCat‘s likely exit scam, which prompted a significant exodus of ransomware affiliates from these platforms. Learn more →

Operation Pandora: Europol raided 12 call centers, arresting 21 individuals involved in a widespread phone scam operation. They were involved in fake police calls, investment fraud, and romance scams.Learn more →

Number of victims listed on the monitored Data Leak Sites by ransomware groups in the last 30 days.

Learn more about Threat Compass

Want more? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team.

What’s new in Threat Context this month?

Threat actors: Solar Spider, prapra123, CoralRaider, Cyberbooter, UNC5330, Cyberbooter, JustNoBody, snowcat, RUBYCARP, Jia Tan, etc.

Tools: Line Runner, Line Dancer, Upstyle, NKAbuse, Xeno RAT, OCEANMAP, Rude Stealer, Nova Stealer, Crystal Rans0m, SEXi, etc.

and much more!

Get started with Threat Compass

About the Author

KrakenLabs Threat Intelligence Team, Outpost24

KrakenLabs is Outpost24’s Cyber Threat Intelligence team. Our team helps businesses stay ahead of malicious actors in the ever-evolving threat landscape, helping you keep your assets and brand reputation safe. With a comprehensive threat hunting infrastructure, our Threat Intelligence solution covers a broad range of threats on the market to help your business detect and deter external threats.