Dive Brief:
- Security experts at Volexity are urging organizations with Ivanti Connect Secure VPN appliances to immediately apply mitigation steps to two zero days after it identified 1,700 compromised devices worldwide. Additional threat groups are now exploiting the vulnerabilities, Volexity said in research released Monday.
- An initial version of the patch, which is still under development, will be available the week of Jan. 22.
- “Since the Ivanti advisory, we have seen a sharp increase in threat activity and security researcher scans,” Ivanti said in a statement released Tuesday. “We are confident that the mitigation blocks access to vulnerable endpoints and that both the internal and external Integrity Checker Tool will identify mismatched files.”
Dive Insight:
Volexity warned that additional threat groups beyond the original actor, which it tracks as UTA0178, appear to have access to the exploit, and are actively working to launch attacks.
Volexity originally detected exploitation dating back to early December, which it attributes to a state-linked actor. The threat group, using custom malware to exploit the chained vulnerabilities, has executed an espionage campaign since early December, Google Cloud’s Mandiant found. The threat intelligence firm is working with Ivanti to investigate the attacks.
The authentication bypass vulnerability, CVE-2023-46805, and a command injection vulnerability, CVE-2024-21887, allow unauthenticated hackers to execute remote code and take over systems.
Volexity warned the mitigation steps do not protect against previous exploitation, so organizations need to check to confirm if they have been compromised.
The confirmed victims are across the globe and span a wide range of industries, including government agencies, banking, telecom providers, aerospace and technology firms, according to Volexity.
While the attacks were initially of limited scope, on Jan. 12, Volexity researchers began detecting widespread scanning by someone who was familiar with the vulnerabilities.
Researchers from Palo Alto Networks detected more than 30,000 exposed instances as of Jan. 9.