Skip to main content
close search
site logo
Dive Brief

Ivanti Connect Secure hackers hide in plain sight, evading protections

Mandiant researchers estimate thousands of devices have been exploited, and are urging users to check their systems with a newly updated tool.

Published Feb. 27, 2024 Updated March 1, 2024
David Jones's headshot
Reporter
Digital technology vector background depicting a cyberattack.
WhataWin via Getty Images

Dive Brief:

  • A patch issued to mitigate vulnerabilities in Ivanti Connect Secure does not eradicate the threat if a malicious actor previously gained access to their computer network, researchers from Mandiant warned on Tuesday.
  • A suspected espionage actor linked to the People’s Republic of China has utilized living off the land techniques and deployed novel malware to in an attempt to maintain persistence despite system upgrades, factory resets and patch deployment, according to Mandiant.  
  • Ivanti released an enhanced external integrity checker tool on Tuesday. The company and Mandiant researchers are urging organizations to run the new tool to confirm if they are still protected against additional intrusions.  

Dive Insight:

Mandiant researchers estimate thousands of devices have been infected by the threat activity, which has impacted multiple industries, including the defense industrial base. The DIB includes thousands of private sector companies that provide equipment and services to the U.S. military.

Ivanti has identified five separate vulnerabilities impacting Ivanti Connect Secure and Ivanti Policy Secure since Jan. 10. 

These include the following: 

  • CVE-2023-46805, an authentication bypass vulnerability with a CVSS score of 8.2
  • CVE-2024-21887, a command injection vulnerability with a CVSS score of 9.1
  • CVE-2024-21888, a privilege escalation vulnerability with a CVSS score of 8.8
  • CVE-2024-21893, an SSRF vulnerability in the SAML component with a CVSS score of 8.2
  • CVE-2024-22024, an XXE vulnerability in the SAML component with a CVSS score of 8.3

Mandiant said there’s no indication the threat actor is related to Volt Typhoon, a state-linked hacker that U.S. officials said was behind malicious threat activity designed to disrupt the operations of U.S. critical infrastructure, during a House Select Committee hearing in late January. 

However, malware deployed by the threat actor shares some code overlap with a separate threat actor, identified as UNC3886, a state-linked cyber espionage actor previously linked to attacks against VMware ESXi hosts, according to Mandiant.

Correction: This story has been updated to clarify that Mandiant has seen threat actors attempt to maintain persistence and that the research firm has seen thousands of devices infected. 

 

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
Chemonics International Data Breach Investigation
From Migliaccio & Rathod LLP
December 04, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
Migliaccio and Rathod Investigates Byte Federal Data Breach
From Migliaccio and Rathod
December 12, 2024
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.