Cybersecurity Alert: Unseen WIREFIRE Web Shell Variant in ICS VPN Appliances

Recently, QuoIntelligence has uncovered a previously unknown and undetected variant of the WIREFIRE web shell, a Python-based implant found in Ivanti Connect Secure (ICS) VPN compromised appliances (CVE-2023-21887 and CVE-2023-46805). This discovery marks a significant escalation in cyber espionage tactics and raises concerns about the security of internet-facing VPN devices.

The new WIREFIRE variant was identified during an investigation into ICS VPN exploits. Unlike the original WIREFIRE web shell, which was typically located in the `/api/resources/visits.py` file, this new variant was found in `/api/resources/category.py`. This shift in location indicates a deliberate attempt by threat actors to circumvent detection mechanisms and avoid being caught by public YARA rules.

This newly identified variant of WIREFIRE demonstrates subtle yet significant changes in its methodology, specifically in data transmission and execution. It uniquely leverages cookies for transmitting encrypted payloads, a departure from the previous reliance on GIF files in `visits.py`. If the cookie is not set, the malicious code extracts the encrypted payload from the API request.

The variant also introduces an innovative code addition that allows for the execution of malicious code through Python’s `exec()` function. This technique facilitates data retention and persistence across successive POST requests, leveraging Python’s `globals()` and `locals()` functions for data storage after each execution.

When discovered, the existing YARA rules, including those provided by Mandiant, were ineffective against this new variant. This oversight led to the realization that threat actors are deploying new web shells in different directories, with slight modifications to evade detections. To combat this, QuoIntelligence developed a less restrictive and temporary YARA rule to detect commonalities between these web shells, regardless of their location.

The discovery of this undetected WIREFIRE variant highlights the constantly evolving nature of cyber threats and the importance of adaptive security measures. Organizations must remain vigilant, continuously updating their detection tools and tactics to respond to these sophisticated and stealthy threats.