The vulnerabilities in Ivanti VPN devices enable remote, unauthenticated hackers to compromise targeted devices, execute arbitrary commands, infiltrate internal networks, and steal sensitive data.
Threat intelligence firm Volexity has discovered a rise in attacks exploiting two Ivanti zero-day vulnerabilities discovered in the second week of December 2023.
According to Volexity, at least 20 organizations using Ivanti Connect Secure VPN appliances have been compromised in cyberattacks leveraging Ivanti zero-day flaws, CVE-2023-46805 and CVE-2024-21887. Volexity has confirmed with “medium confidence” that the number of compromised systems is likely higher than what it discovered.
The flaws, discovered by Volexity researchers, impacted Ivanti Connect Secure VPN and Policy Secure NAS appliances and were disclosed last week by Avanti.
On January 10, Volexity warned that a group UTA0178, supposedly affiliated with China, exploited these vulnerabilities to gain access to internal networks and steal information. On January 11, the company observed a series of targeted attacks on Ivanti VPN appliances, causing widespread exploitation of these flaws.
For your information, CVE-2023-46805 is an authentication bypass flaw with a CVSS rating of 8.2), impacting Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure. The second flaw, CVE-2024-21887, is a command injection vulnerability with a CVSS score of 9.1, impacting Ivanti Connect Secure 9.x, 22.x, and Ivanti Policy Secure.
If exploited, these allow remote, unauthenticated attackers to compromise targeted devices by executing arbitrary commands, infiltrating internal networks, and stealing sensitive data.
Volexity noted that an unknown APT group launched initial attacks on ICS VPN appliances in December 2023, downloading malware tool kits for espionage. Multiple threat actors have since attacked hundreds of appliances and backdoored targets’ systems using a GIFTEDVISITOR webshell variant.
As of January 14, 2023, over 1,700 ICS VPN appliances were compromised, researchers revealed after scanning 50,000 Ivanti VPN-linked IPs. The highest percentage of victims were found in the US and Europe, impacting small-scale businesses to Fortune 500 companies in government, military, telecom, defence, tech, banking, finance, accounting, aerospace, aviation, and engineering sectors.
Mandiant also observed that a suspected state-sponsored threat actor dubbed UNC5221 leveraged these flaws last month to deploy up to five custom malware families. These include the ZIPLINE backdoor, WARPWIRE credential harvester, THINSPOOL shell script dropper, and LIGHTWIRE web shell.
Mandiant noted in its report that threat actors UNC5221 launched “opportunistic attacks” to maintain persistence on high-priority targets that it had compromised “after a patch was inevitably released.”
Ivanti plans to release patches to fix these flaws by January 22, 2024, with final patches expected on February 19, 2024. A workaround is available to prevent exploitation until the patches are released. Organizations using vulnerable products should implement it immediately.
RELATED ARTICLES
- APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
- CACTUS ransomware evades exploits VPN flaws to hack networks
- Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer
- Flashpoint Uncovers 100,000+ Hidden Vulnerabilities, Including Zero-Days
- UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine