Skip to main content
close search
site logo
Dive Brief

Ivanti Connect Secure exploitation accelerates, 1,700 devices compromised worldwide

Researchers warn additional threat actors are actively working to take advantage of two chained together vulnerabilities.

Published Jan. 17, 2024
David Jones's headshot
Reporter
An image of a digital lock is shown
Just_Super via Getty Images

Dive Brief:

  • Security experts at Volexity are urging organizations with Ivanti Connect Secure VPN appliances to immediately apply mitigation steps to two zero days after it identified 1,700 compromised devices worldwide. Additional threat groups are now exploiting the vulnerabilities, Volexity said in research released Monday.
  • An initial version of the patch, which is still under development, will be available the week of Jan. 22. 
  • “Since the Ivanti advisory, we have seen a sharp increase in threat activity and security researcher scans,” Ivanti said in a statement released Tuesday. “We are confident that the mitigation blocks access to vulnerable endpoints and that both the internal and external Integrity Checker Tool will identify mismatched files.”

Dive Insight:

Volexity warned that additional threat groups beyond the original actor, which it tracks as UTA0178, appear to have access to the exploit, and are actively working to launch attacks. 

Volexity originally detected exploitation dating back to early December, which it attributes to a state-linked actor. The threat group, using custom malware to exploit the chained vulnerabilities, has executed an espionage campaign since early December, Google Cloud’s Mandiant found. The threat intelligence firm is working with Ivanti to investigate the attacks. 

The authentication bypass vulnerability, CVE-2023-46805, and a command injection vulnerability, CVE-2024-21887, allow unauthenticated hackers to execute remote code and take over systems. 

Volexity warned the mitigation steps do not protect against previous exploitation, so organizations need to check to confirm if they have been compromised. 

The confirmed victims are across the globe and span a wide range of industries, including government agencies, banking, telecom providers, aerospace and technology firms, according to Volexity. 

While the attacks were initially of limited scope, on Jan. 12, Volexity researchers began detecting widespread scanning by someone who was familiar with the vulnerabilities. 

Researchers from Palo Alto Networks detected more than 30,000 exposed instances as of Jan. 9.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell