We're still discovering further ramifications to #Ivanti's #PulseSecure vulnerabilities (#CVE_2023_46805 & #CVE_2024_21887). In February, we identified two new backdoors: #SparkCockpit & #SparkTar. Both backdoors employ selective interception of TLS communication, offer multiple degrees of persistence and access possibilities into the victim network (e.g., traffic tunneling through SOCKS proxy).

Analysis & detection rules at https://blog.nviso.eu/2024/03/01/covert-tls-n-day-backdoors-sparkcockpit-sparktar/

The findings of our investigation have been independently corroborated by the research performed by Mandiant and have partially been observed by Fortinet.

True facts. AFAICT, the #Ivanti mess is technical-debt chickens coming home to roost. I was at #NetScreen when we acquired #Neoteris (originators of the #SSLVPN product), and then over the next two decades #Juniper > #PulseSecure > #Ivanti have tortured that legacy codebase with everything from FrankenNAC to PE-driven developer offshoring to bolt-on cloud-service offerings. TBH the only thing that surprises me about this is that it took so long.
Pouring one out for what was truly a revolutionary #VPN solution when it debuted 20-some years ago...