S1119 LIGHTWIRE
LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.12
| Item | Value |
|---|---|
| ID | S1119 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 07 March 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | LIGHTWIRE can use HTTP for C2 communications.1 |
| enterprise | T1554 | Compromise Host Software Binary | LIGHTWIRE can imbed itself into the legitimate compcheckresult.cgi component of Ivanti Connect Secure VPNs to enable command execution.21 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | LIGHTWIRE can RC4 decrypt and Base64 decode C2 commands.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | LIGHTWIRE can RC4 encrypt C2 commands.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | LIGHTWIRE is a web shell capable of command execution and establishing persistence on compromised Ivanti Secure Connect VPNs.1 |
References
-
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. ↩↩↩↩↩↩
-
McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. ↩↩