Ivanti’s Connect Secure VPN and Policy Secure NAC Appliances Face Mass Exploitation

January 16, 2024

Volexity, a threat intelligence company, has discovered two zero-day vulnerabilities in Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) appliances, which have been under mass exploitation since December. The vulnerabilities, known as CVE-2023-46805 and CVE-2024-21887, have been used in widespread attacks since January 11.

The victims of these attacks are diverse, ranging from small businesses to Fortune 500 companies across various industries. Volexity has warned that the attackers have used a variant of the GIFTEDVISITOR webshell to backdoor their targets' systems. This webshell has been found on hundreds of appliances.

As of January 14, 2024, Volexity had identified over 1,700 compromised ICS VPN appliances with the GIFTEDVISITOR webshell. These appliances appear to have been targeted indiscriminately, with victims located all over the world.

The list of victims includes government and military departments, national telecommunications companies, defense contractors, technology companies, banking, finance, and accounting organizations, consulting firms, and aerospace, aviation, and engineering firms.

Ivanti has not yet released patches for these vulnerabilities. In the meantime, administrators are advised to apply mitigation measures provided by Ivanti on all ICS VPNs on their network. They should also run Ivanti's Integrity Checker Tool and consider all data on the ICS VPN appliance as compromised if signs of a breach are found.

Shadowserver, a threat monitoring service, is currently tracking more than 16,800 ICS VPN appliances exposed online, with almost 5,000 located in the United States.

Last week, Ivanti disclosed that attackers can run arbitrary commands on all supported versions of ICS VPN and IPS appliances when successfully chaining the two zero days. The number of customers impacted by these attacks has escalated, with the suspected Chinese state-backed threat actor (tracked as UTA0178 or UNC5221) now being joined by multiple others.

Mandiant has also revealed that its security experts found five custom malware strains deployed on breached customers' systems with the end goal of dropping webshells, additional malicious payloads, and stealing credentials. The most notable tool used in the attacks is ZIPLINE, a passive backdoor that intercepts incoming network traffic and provides file transfer, reverse shell, tunneling, and proxying capabilities.

Suspected Chinese hacking groups used another ICS zero-day, CVE-2021-22893, two years ago to breach dozens of U.S. and European government, defense, and financial organizations. Last year, two other zero-days (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM) were actively exploited and reported as being used to breach several Norwegian government organizations. A third zero-day flaw (CVE-2023-38035) in Ivanti's Sentry software was used to bypass API authentication on vulnerable devices in limited and targeted attacks.

Related News

• Chinese Cyber Actors Exploit Ivanti Connect Secure and Policy Secure Zero-Day Vulnerabilities
• Critical Remote Code Execution Vulnerability in Ivanti's Endpoint Management Software
• Ivanti Patches 13 Critical Security Flaws in Avalanche Enterprise Mobile Device Management Solution
• Critical Ivanti Sentry Bug Abused as Zero-Day: Exploit Released
• Ivanti Releases Urgent Patch for Zero-Day Vulnerability in Sentry Gateway

Latest News

• Over 178,000 SonicWall Firewalls Exposed to Potential Hacks Due to Unpatched Vulnerabilities
• Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability
• Over 7,100 WordPress Sites Compromised by Balada Injector Malware Exploiting Plugin Vulnerability
• Denmark's Energy Sector Cyber Attacks Not Executed by Russia-Linked APT, Reveals Forescout
• Akira Ransomware Attacks Escalate in Finland: NCSC-FI Reports