The massive exploitation of Ivanti vulnerabilities caused panic among federal agencies.
Cybersecurity company Censys has discovered that hackers allegedly working for the Chinese government are massively exploiting critical vulnerabilities in Ivanti's virtual private networks (VPNs), gaining full control over devices.
According to Censys, out of 26,000 devices connected to the Internet, 492 Ivanti VPNs remained infected in various countries around the world, including the United States (121 devices), Germany (26), South Korea (24) and China (21). The largest number of infected devices was found in the Microsoft cloud service (13), followed by Amazon cloud environments (12) and Comcast (10).
Censys researchers conducted a secondary scan of Ivanti Connect Secure servers and found 412 unique hosts with a backdoor, as well as 22 different malware variants, which can indicate a lot of attackers or one that changes its tactics.
We are talking about two zero-day vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure web components of all supported versions (9. x, 22. x):
Attackers use exploits to install multiple backdoors that collect as many credentials as possible from various employees and devices on the infected network, as well as allow them to move around the network. Despite the use of malware, cybercriminals mostly use the Living off the Land (LotL) approach, which abuses legitimate software and tools to avoid detection.
According to Censys, the company's evidence suggests that cybercriminals are motivated by espionage targets. This theory coincides with recent reports by Volexity and Mandiant. Volexity researchers suggest that the threat comes from the "Chinese state attacker" UTA0178. Mandiant, which tracks this group as UNC5221, reports that the group's methods indicate an Advanced Persistent Threat (APT).
All federal agencies have been instructed to take measures to prevent exploiting vulnerabilities. Ivanti has not yet released patches to address the vulnerabilities. While no updates have been received, CISA and information security companies strongly recommend that affected users follow Ivanti's recommendations for mitigation and system recovery. According to the company, the fixes will be released gradually: the first version will be available to customers on January 22, and the final version — on February 19.
Massive hacks began on January 11, the day after Ivanti disclosed the vulnerabilities. Bugs are particularly dangerous because of their impact, the widespread adoption of systems, and the complexity of mitigation, especially given the lack of an official fix from the manufacturer.
Detailed descriptions of malware behavior and infection detection methods are provided in the Volexity and Mandiant studies. Given the severity of the vulnerabilities and the consequences of exploiting them, all users of the affected products should take measures to mitigate the threat as soon as possible, even if this requires a temporary suspension of VPN use.
Cybersecurity company Censys has discovered that hackers allegedly working for the Chinese government are massively exploiting critical vulnerabilities in Ivanti's virtual private networks (VPNs), gaining full control over devices.
According to Censys, out of 26,000 devices connected to the Internet, 492 Ivanti VPNs remained infected in various countries around the world, including the United States (121 devices), Germany (26), South Korea (24) and China (21). The largest number of infected devices was found in the Microsoft cloud service (13), followed by Amazon cloud environments (12) and Comcast (10).
Censys researchers conducted a secondary scan of Ivanti Connect Secure servers and found 412 unique hosts with a backdoor, as well as 22 different malware variants, which can indicate a lot of attackers or one that changes its tactics.
We are talking about two zero-day vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure web components of all supported versions (9. x, 22. x):
- CVE-2023-46805 (CVSS score: 8.2): Authentication bypass vulnerability-allows a remote attacker to gain access to restricted resources, bypassing security checks;
- CVE-2024-21887 (CVSS score: 9.1): Command injection vulnerability-allows an authenticated hacker to send specially crafted requests and execute arbitrary commands on the device.
Attackers use exploits to install multiple backdoors that collect as many credentials as possible from various employees and devices on the infected network, as well as allow them to move around the network. Despite the use of malware, cybercriminals mostly use the Living off the Land (LotL) approach, which abuses legitimate software and tools to avoid detection.
According to Censys, the company's evidence suggests that cybercriminals are motivated by espionage targets. This theory coincides with recent reports by Volexity and Mandiant. Volexity researchers suggest that the threat comes from the "Chinese state attacker" UTA0178. Mandiant, which tracks this group as UNC5221, reports that the group's methods indicate an Advanced Persistent Threat (APT).
All federal agencies have been instructed to take measures to prevent exploiting vulnerabilities. Ivanti has not yet released patches to address the vulnerabilities. While no updates have been received, CISA and information security companies strongly recommend that affected users follow Ivanti's recommendations for mitigation and system recovery. According to the company, the fixes will be released gradually: the first version will be available to customers on January 22, and the final version — on February 19.
Massive hacks began on January 11, the day after Ivanti disclosed the vulnerabilities. Bugs are particularly dangerous because of their impact, the widespread adoption of systems, and the complexity of mitigation, especially given the lack of an official fix from the manufacturer.
Detailed descriptions of malware behavior and infection detection methods are provided in the Volexity and Mandiant studies. Given the severity of the vulnerabilities and the consequences of exploiting them, all users of the affected products should take measures to mitigate the threat as soon as possible, even if this requires a temporary suspension of VPN use.
