Maxime Thiebaut<p>We're still discovering further ramifications to <a href="https://infosec.exchange/tags/Ivanti" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ivanti</span></a>'s <a href="https://infosec.exchange/tags/PulseSecure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PulseSecure</span></a> vulnerabilities (<a href="https://infosec.exchange/tags/CVE_2023_46805" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2023_46805</span></a> & <a href="https://infosec.exchange/tags/CVE_2024_21887" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21887</span></a>). In February, we identified two new backdoors: <a href="https://infosec.exchange/tags/SparkCockpit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SparkCockpit</span></a> & <a href="https://infosec.exchange/tags/SparkTar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SparkTar</span></a>. Both backdoors employ selective interception of TLS communication, offer multiple degrees of persistence and access possibilities into the victim network (e.g., traffic tunneling through SOCKS proxy).</p><p>👀 Analysis & detection rules at <a href="https://blog.nviso.eu/2024/03/01/covert-tls-n-day-backdoors-sparkcockpit-sparktar/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.nviso.eu/2024/03/01/cover</span><span class="invisible">t-tls-n-day-backdoors-sparkcockpit-sparktar/</span></a></p><p>The findings of our investigation have been independently corroborated by the research performed by Mandiant and have partially been observed by Fortinet.</p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/forensics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>forensics</span></a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reverseengineering</span></a></p>