VHR20240411 - April 11, 2024

The Mandiant Intelligence Validation Research Team (VRT) has published VHR20240411 - Content Expansion, a Security Content Pack focusing on CVE-2024-21893, CVE-2024-25153, Campaign 24-002, and Campaign 24-004. This content pack requires Director version 4.12.1.0-0 or higher.

If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack from the Mandiant Documentation Portal.

Summary of Changes

• 54 Actions added
• 33 Files added
• 1 Action retired
• 18 Actions updated
• 12 Files updated

Release Highlights

• New Action demonstrating the exploitation of CVE-2024-21893 affecting Ivanti Connect Secure (ICS). The vulnerability allows an unauthorized attacker to remotely execute arbitrary commands on the target machine by taking advantage of a bug in the SAML authentication mechanism.
• New Action demonstrating exploitation of CVE-2024-25153. With a specially crafted POST request an attacker could execute commands remotely on vulnerable Fortra FileCatalyst Workflow systems.
• New Actions demonstrating Campaign 24-002, a financially motivated UNC5175 phishing campaign delivering the REMCOS backdoor.
• New Actions demonstrating Campaign 24-004, an APT44 conducted campaign targeting organizations in Ukraine via trojanized MS Office installers used to download and execute follow on remote PowerShell scripts.

For full details on this release, see the Release Notes on the Mandiant Documentation Portal.