China-Backed Hackers Exploit Ivanti VPN Zero-Day Flaws
In a series of coordinated cyberattacks, state-backed hackers have been exploiting critical zero-day vulnerabilities in Ivanti Connect Secure, a widely used VPN appliance. The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have put numerous organizations at risk.
CVE-2023-46805, an authentication bypass flaw, and CVE-2024-21887, a command injection vulnerability, have been exploited to achieve unauthenticated remote code execution on vulnerable systems. This exploitation enables attackers to steal configuration data, modify existing files, download remote files, and create reverse tunnels from the Ivanti VPN appliance.
Cybersecurity firms Mandiant and Volexity have played significant roles in uncovering these security breaches. Volexity detected suspicious activity on a customer’s network in December 2023, attributing the attack to a hacking group under the alias UTA0178, who are believed to be backed by China. Ivanti has confirmed these reports, stating that the vulnerabilities have been actively exploited in the wild.
A renowned security researcher, Kevin Beaumont, has dubbed the vulnerabilities "ConnectAround." Although reports indicate less than 10 customers have been directly affected so far, he reported that approximately 15,000 Ivanti appliances globally are exposed to the internet, suggesting a potentially larger scale of impact than initially thought.
Ivanti has responded to these threats by announcing a staggered release of patches, starting from the week of January 22 and continuing through mid-February. In the meantime, the company has provided an XML mitigation file that can offer immediate protection against potential threats. However, Ivanti declined to comment on why the patches aren’t immediately available, and did not specify whether any data exfiltration has occurred as a result of the attacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging federal agencies to apply these fixes by January 31, 2024. CISA has also added the vulnerabilities to its Known Exploited Vulnerabilities catalog.
Organizations using Ivanti's VPN product are advised to prioritize the implementation of Ivanti's mitigation file. It is crucial to note, as pointed out by Volexity, that these mitigations do not address past compromises. Therefore, a thorough analysis of possibly affected networks for any signs of compromise is essential.
The situation is evolving, and further developments are expected as more information becomes available and as Ivanti releases its patches.
Please, comment on how to improve this article. Your feedback matters!