In early 2024, Ivanti’s Pulse Secure appliances suffered from wide-spread exploitation through the then reported vulnerabilities CVE-2023-46805 & CVE-2024-21887. Amongst the many victims, a critical-sector organization triggered their NVISO incident-response retainer to support their internal security teams in the investigation of the observed compromise of their Ivanti appliance. This report documents two at-the-time undetected covert TLS-based backdoors which were identified by NVISO during this investigation: SparkCockpit & SparkTar. Both backdoors employ selective interception of TLS communication towards the legitimate Ivanti server applications. Through this technique, the attackers have managed to avoid detection by most (if not all) network-based security solutions.
While SparkCockpit is believed to have been deployed through the 2024 Pulse Secure exploitation, SparkTar has been employed at least since Q3 2023 across multiple appliances. The two backdoors offer multiple degrees of persistence and access possibilities into the victim network, for example through traffic tunneling by establishing SOCKS proxy. SparkTar is the most advanced backdoor with the capability of surviving both factory resets as well as appliance upgrades. Both backdoors additionally also provide capabilities to perform file uploads and command execution.
It is important to note that given the purpose of the Ivanti Pulse Secure appliances in the environment, where they allow external, authenticated users access to various internal resources, the attackers would typically not be restricted in what resources they can reach internally in the network. Depending on the network restrictions in place, attackers could gain full network level access to a compromised environment through the network tunneling capabilities embedded in the SparkTar backdoor.
The report provides a comprehensive examination of the two sophisticated and previously undetected backdoors, SparkCockpit & SparkTar. The findings of our investigation have been independently corroborated by the research performed by Mandiant and have partially been observed by Fortinet. Our findings and detection rules detailed within the report are shared to support the cybersecurity community, and to allow for further detections and mitigations to take place. By sharing these insights it is the goal of NVISO to allow for organizations to get an understanding on the capabilities and inner workings of the backdoors, as well as enhancing their security posture and resilience against these evolving advanced cyber threats.
4 thoughts on “Covert TLS n-day backdoors: SparkCockpit & SparkTar”