WIREFIRE

WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.^[1]

ID: S1115

ⓘ

Associated Software: GIFTEDVISITOR

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Version: 1.0

Created: 04 March 2024

Last Modified: 05 March 2024

Associated Software Descriptions

Name	Description
GIFTEDVISITOR	^[2]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1554		主机软件二进制文件妥协	WIREFIRE can modify the `visits.py` component of Ivanti Connect Secure VPNs for file download and arbitrary command execution.^[1]^[2]
Enterprise	T1573	.001	加密通道: Symmetric Cryptography	WIREFIRE can AES encrypt process output sent from compromised devices to C2.^[1]
Enterprise	T1140		反混淆/解码文件或信息	WIREFIRE can decode, decrypt, and decompress data received in C2 HTTP `POST` requests.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	WIREFIRE can respond to specific HTTP `POST` requests to `/api/v1/cav/client/visits`.^[1]^[2]
Enterprise	T1132	.001	数据编码: Standard Encoding	WIREFIRE can Base64 encode process output sent to C2.^[1]
Enterprise	T1505	.003	服务器软件组件: Web Shell	WIREFIRE is a web shell that can download files to and execute arbitrary commands from compromised Ivanti Connect Secure VPNs.^[1]
Enterprise	T1105		输入工具传输	WIREFIRE has the ability to download files to compromised devices.^[1]

Campaigns

ID	Name	Description
C0029	Cutting Edge	^[1]

References

McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.

Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.

WIREFIRE

Associated Software Descriptions

Enterprise Layer

Techniques Used

Campaigns

References