The Defender's Advantage Podcast

Episode: UNC5221 and The Targeting of Ivanti Connect Secure VPNs

Date: May 5, 2025
Host: Luke McNamara (Google Threat Intelligence Group)
Guests: Matt Lin (Senior Incident Response Consultant, Mandiant), Daniel Spicer (Chief Security Officer, Ivanti)

Episode Overview

This episode dives deep into the exploitation of Ivanti Connect Secure VPNs by the Chinese espionage group tracked as UNC5221. Host Luke McNamara talks with Mandiant's Matt Lin and Ivanti's Daniel Spicer about the technical details of recent attacks, the evolving threat landscape surrounding edge infrastructure, the challenges in defending these critical devices, and what organizations and vendors can do to bolster security and resilience.

Key Discussion Points & Insights

Introduction & Framing the Threat

• [00:03] The podcast focuses on UNC5221, a Chinese espionage actor particularly skilled in exploiting Ivanti Connect Secure VPNs through evolving techniques.
• The discussion includes the broader context of increasing exploitation of edge infrastructure, such as VPNs and routers, as a primary attack vector for threat actors.

Details of the Attack & UNC5221 Techniques

• [02:10] New Vulnerability:

  • In April 2025, Mandiant published a blog detailing the exploitation of CVE-2025-22457, a buffer overflow vulnerability permitting unauthenticated remote code execution on certain Ivanti Connect Secure VPN versions.
  • Attacks began in mid-March 2025, targeting high-value organizations, with activity attributed to UNC5221.

• Malware Analysis:

  • Post-exploitation, two new malware families were observed: Trailblaze and Brushfire.
  • Trailblaze & Brushfire: These work in tandem to create an in-memory-only, passive backdoor—meaning it only activates on receiving a specific trigger, enhancing stealth.
    • Quote [03:31], Matt Lin:

      "It's written in plain C, it uses raw syscalls, and it does exactly what the threat actor wants it to do and no more. And I think the file size for one of these was less than a kilobyte in size, so certainly very impressive what they've done in order to fit that payload into their exploits."

• Evolution of Techniques:

  • [05:01] Comparison with prior activity shows increased sophistication, adaptation, and detection evasion by UNC5221.
  • Techniques include:
    • Custom malware
    • Trojanizing legitimate files and scripts
    • Living-off-the-land, evasion, anti-forensics
    • Improved cleaning and persistence methods

• Novel Methods Examined:

  • [05:55] Phase Jam:
    • A malware family that prevents system administrators from upgrading or patching compromised appliances by rendering fake progress bars, tricking admins into thinking updates are in progress while maintaining compromise.
    • Quote [06:44], Matt Lin:

      "It would silently block the upgrade in the background, but it would also actually render a fake HTML progress bar... if you were an administrator performing the patch or the upgrade, you may not notice that something was wrong."

Detection and Discovery

• [08:41] Integrity Checking Tool (ICT):

  • Ivanti employs an ICT akin to file integrity monitoring to catch unauthorized changes—a key to detecting numerous attacks since 2021.
  • Adversaries attempt to circumvent ICT, which pressures attackers to maintain perfect operational security—rarely sustainable.

• Vulnerability Lifecycle:

  • [09:46] Speed of exploitation is shrinking; Ivanti discovered and patched an issue, but attackers weaponized the overlooked vulnerability within six weeks by bypassing original technical mitigations.
    • Quote [10:27], Daniel Spicer:

      "We're seeing a significant increase in the sophistication and just the time to exploitation. I think everybody needs to take that very seriously."

Broader Edge Infrastructure Trends

• [12:14] China leads in zero-day exploits, focusing on government-backed operations and espionage.
• Attacks target edge infrastructure because:
  • It sits at privileged network positions (gatekeepers: VPNs, firewalls, routers).
  • Compromising such devices often grants broad access.
  • Edge devices receive less security investment and attention than critical servers or endpoints.
• Evolving landscape now sees more exploitation and less phishing as an initial vector, reflecting improved endpoint security and greater adversarial effort on edge infrastructure gaps.

Defensive Strategies and Transparency

• [16:53] Threat Modeling and Secure by Design:

  • Assume adversaries have or can obtain source code; don’t rely on obscurity.
    • Quote [17:04], Daniel Spicer:

      "Just assume your source code is available, right?... then you start talking about how do I eliminate vulnerabilities, how do I create checkpoints, how do I make it easier to disable certain functions in the appliance?"

• Vulnerability Disclosure:

  • Transparency in patching and disclosure is essential; relying on secrecy increases organizational risk.
  • Misclassification (e.g. treating an exploitable vulnerability as a mere bug) can be fatal, as seen when attackers exploited a patch that was not believed to be security-relevant.

Lessons for Organizations & Vendors

• [21:29] For Organizations:

  • Understand limits of monitoring proprietary edge devices; third-party tools (like EDR) may not be deployable.
  • Focus on security fundamentals: vulnerability management, patch management, rapid adoption of vendor guidance.
  • Stay current on threat landscape, subscribe to vendor advisories, and avoid Internet-exposure of admin interfaces.
  • Quote [22:50], Matt Lin:

    "There's no panacea in security, but I think the fundamentals are often where you can kind of make the most impact in your overall security posture while making the best use of the finite resources that you have."

• [24:39] For Vendors:

  • Commit to transparency: register CVEs, publish security advisories, and inform customers to foster proactive defense.
  • Encourage proper configuration and discourage risky exposure patterns.
  • Recognize that vulnerabilities exploited first by nation-states will eventually be co-opted by broader cybercriminals, including ransomware actors.

• Quote [25:00], Daniel Spicer:

  "Transparency is very critical to helping your end customer avoid risk... Eventually this stuff does roll downhill where we start with nation state threat actors and eventually ransomware actors catch up and start using the same vulnerabilities."

Notable Quotes & Memorable Moments

• "I remember finding the malware for the first time... just thinking like, wow, this is quite minimal and it's almost elegant... less than a kilobyte in size."
  — Matt Lin [03:31]
• "Phase Jam... would render a fake HTML progress bar... to kind of give the appearance that the upgrade was actually in progress."
  — Matt Lin [06:44]
• "There's a very, very short time from Avanti fixing an issue... to attempted exploitation by the threat actor. That's a very, very short time."
  — Daniel Spicer [10:27]
• "Edge infrastructure... can seem like a black box... security shouldn't be done without context or without kind of taking risk into the equation."
  — Matt Lin [21:37]
• "Assume your source code is available... start talking about how do I eliminate vulnerabilities..."
  — Daniel Spicer [17:04]

Important Timestamps

• 02:10 – UNC5221 background and details of the CVE-2025-22457 exploitation
• 03:31 – Analysis of malware families Trailblaze and Brushfire
• 05:01 – Evolution of attacker technique and detection evasion
• 06:44 – Breakdown of the Phase Jam malware's fake update tactic
• 08:41 – Daniel Spicer on the role and effectiveness of the ICT tool
• 12:14 – Matt Lin on why edge infrastructure is being targeted
• 16:53 – Daniel Spicer on threat modeling and transparency
• 21:29 – Recommendations for organization security fundamentals
• 24:39 – Daniel Spicer on vendor lessons: transparency, advisories, and CVEs

Takeaways

• Edge devices are increasingly targeted due to their privileged position and traditional lack of scrutiny compared to user endpoints.
• UNC5221 exemplifies modern, nation-state threat actors: rapid adaptation, in-depth technical knowledge, operational security, and persistence.
• Vulnerability management, rapid patch adoption, configuration security, and transparency from vendors are critical to mitigate such threats.
• Industry-wide, there is a need to assume full adversarial knowledge and invest in defensive fundamentals rather than relying solely on secrecy or reactive patching.

This episode is essential listening for defenders, vendors, and CISOs aiming to stay ahead of sophisticated attacks on edge infrastructure.