Home / Industry

Tracing Ivanti Zero-Day Exploitation IoCs in the DNS

Among the latest to suffer from zero-day exploitation is Ivanti, a software company providing endpoint management and remote access solutions to various organizations, including U.S. federal agencies. High-impact zero-day vulnerabilities affecting Ivanti Connect Secure VPN and Policy Secure were recently reported, which could allow threat actors to execute arbitrary code with high-level access.

Mandiant already reported zero-day exploitations using these vulnerabilities by UNC5221, a suspected China-based espionage threat group. Other unknown threat groups may have also exploited the vulnerabilities. Mandiant published an in-depth investigation of the exploitation, including a list of indicators of compromise (IoCs) comprising 10 domains, two subdomains, and eight IP addresses.

In an effort to find more information and possibly connected artifacts, the WhoisXML API research team expanded the IoC list, leading to the discovery of:

  • Three public email addresses
  • 33 email-connected domains
  • 13 additional IP addresses
  • 211 IP-connected domains
  • 153 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download on our website.

Infrastructure Analysis of the Ivanti Zero-Day Exploitation IoCs

As our usual first step in analyzing IoCs, we performed a bulk WHOIS lookup for 12 domains (10 domain IoCs and two domains extracted from the subdomains tagged as IoCs) and found that:

  • They were administered by nine different registrars—Namecheap, which accounted for three domains, and GoDaddy.com LLC; PDR Ltd.; CSL Computer Service Langenbach GmbH; IONOS SE; Gabia; WEBCC; Threvon Internet Services; and NetEarth One, Inc. with one domain each. One IoC did not have current registrar data.
  • Three domains were created in 2024, two in 2023, one in 2022, one in 2021, one in 2019, two in 2010, and the oldest in 2007. The remaining domain had no creation date in its current WHOIS record.

  • They were spread across six registrant countries. Three were registered in Iceland, two in the U.S., and one each in Germany, South Korea, Malaysia, and the U.K. Three domains did not have a current registrant country data.

We also subjected the domain IoCs to a screenshot analysis, which revealed that some continued to host live content, including the websites below.

Screenshot of domain IoC cpanel[.]netbar[.]org
Screenshot of domain IoC areekaweb[.]com
Screenshot of domain IoC miltonhous[.]enl
Screenshot of domain IoC ehangmun[.]com

Next, we did a bulk IP geolocation lookup for the eight IP addresses listed as IoCs, which revealed that:

  • They were spread across five geolocation countries—four in the U.S. and one each in Germany, the Netherlands, Singapore, and China.
  • Each was administered by a different ISP, namely, Host Europe GmbH, DigitalOcean LLC, Hangzhou Alibaba Advertising Co. Ltd., Limenet, CorporaciĆ³n Dana S.A., Comcast Cable Communications LLC, BL Networks, and Cablevision Systems Corp.

Mapping the DNS Connections of the Ivanti Zero-Day Exploitation IoCs

Our next step was to scour the DNS for more traces of the malicious resources used in the vulnerability exploitation.

WHOIS History API searches for the domain IoCs enabled us to discover 14 email addresses in their historical WHOIS records, three of which were public. Subjecting the three unredacted email addresses to Reverse WHOIS API searches revealed that they appeared in the current WHOIS records of 33 domains after duplicates and IoCs were removed.

Next, we performed DNS lookups for the 12 domain IoCs (including two from the subdomains tagged as IoCs), which led us to 13 unique IP addresses, excluding those already tagged as IoCs.

The 13 additional IP addresses were then subjected to IP geolocation lookups, which revealed that:

  • They were geolocated in seven countries, three of which were also the origin of three IoCs. Six IP addresses pointed to the U.S. as their origin, two were geolocated in Cyprus, and one each in the Netherlands, Germany, Thailand, South Korea, and Iran.
  • They were managed by nine ISPs—Cloudflare with four IP addresses, GTHost with two, and Signet BV, IONOS SE, Siamdata Communication Co. Ltd., Korea Telecom, QuadraNet Enterprises LLC, SoftLayer, and Pars Parva System LLC with one IP address each.

  • Threat Intelligence API also revealed that all 13 IP addresses were associated with various threats. A few examples are shown in the table below.

    IP ADDRESSESASSOCIATED THREAT TYPES
    104[.]21[.]61[.]132Phishing
    Malware
    Generic
    217[.]160[.]0[.]177Phishing
    Malware
    5[.]8[.]18[.]6Malware
    Generic
    172[.]67[.]209[.]167Phishing
    Malware
    Generic
    104[.]21[.]69[.]158Phishing
    Malware
    Generic

To find more connected domains, we subjected the 13 additional IP addresses and eight IP address IoCs to reverse IP lookups, which showed that nine were potentially dedicated. They led to 211 IP-connected domains after filtering out duplicates, the IoCs, and email-connected domains.

Screenshot analyses for the IP-connected domains revealed that one domain—tedtankal[.]xyz—hosted content similar to one of the domain IoCs, areekaweb[.]com. While the two domains had redacted WHOIS records, they were both registered with GoDaddy.

Screenshot of IP-connected domain tedtankal[.]xyz
Screenshot of domain IoC areekaweb[.]com

As a final step, we looked for string-connected domains using Domains & Subdomains Discovery using the Starts with search parameter. They led to the discovery of 145 domains that began with these strings that appeared among the domain IoCs:

  • symantke
  • miltonhouse.
  • entraide-internationale
  • clickcom.
  • clicko.
  • duorhytm
  • line-api
  • areekaweb
  • ehangmun
  • secure-cama

Meanwhile, a wildcard search on Threat Intelligence API using the string clicko (i.e., clicko*) revealed eight domains associated with phishing, malware, and other threats. One of the malicious domains continued to host live content.

Screenshot of the malicious string-connected domain clickcomputerservices[.]com

Our investigation started out with 10 domains, two subdomains, and eight IP addresses tagged as IoCs in the zero-day exploitation of Ivanti vulnerabilities. It then led to the discovery of three public email addresses, 33 email-connected domains, 13 additional IP addresses, 211 IP-connected domains, and 153 string-connected domains. We also found that all 13 additional IP addresses and eight string-connected domains already figured in various cyber threats.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign