1. Home
  2. Software
  3. WARPWIRE

WARPWIRE

WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[1][2]

ID: S1116
Type: MALWARE
Platforms: Network
Version: 1.0
Created: 05 March 2024
Last Modified: 29 March 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1554 主机软件二进制文件妥协

WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs.[1]
Enterprise T1059 .007 命令与脚本解释器: JavaScript

WARPWIRE is a credential harvester written in JavaScript.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

WARPWIRE can Base64 encode captured credentials with btoa() prior to sending to C2.[1]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

WARPWIRE can send captured credentials to C2 via HTTP GET or POST requests.[1][2]
Enterprise T1056 .003 输入捕获: Web Portal Capture

WARPWIRE can capture credentials submitted during the web logon process in order to access layer seven applications such as RDP.[1]

Campaigns

ID Name Description
C0029 Cutting Edge

[1][3][4]

References

  1. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  2. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  1. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  2. Gurkok, C. et al. (2024, January 15). Ivanti Connect Secure VPN Exploitation Goes Global. Retrieved February 27, 2024.