Dive Brief:
- Exploitation of two chained vulnerabilities in Ivanti Connect Secure VPN is accelerating as more than 2,100 systems have been compromised by the Giftedvisitor webshell, according to a blog post released Thursday by Volexity.
- The suspected state-linked threat actor, which Volexity tracks as UTA0178, was observed manipulated the Integrity Checker Tool from Ivanti to make it appear there were no new or mismatched files, according to Volexity.
- Moody’s Investor Service said the attacks are credit negative against Ivanti. The attacks have a negative implication for the company’s reputation and could lead to higher customer attrition, potential litigation and impact revenue growth.
Dive Insight:
Suspected hackers have chained together the authentication bypass vulnerability, tracked as CVE-2023-46805, and a command injection vulnerability, tracked as CVE-2024-21887, in order to allow for persistent exploitation activity, according to researchers and Ivanti officials.
Volexity originally discovered the threat activity dating back to early December, which included downloading remote files, stealing credentials and other malicious activity.
The Giftedvisitor webshell is not something that Volexity has seen before, however the general technique and idea behind it is quite common, according to Steven Adair, founder and president of Volexity.
“This is quite similar to what was recently done on thousands of [Cisco] IOS XE devices,” Adair said via email. “The webshell allows file uploads and execution.”
The webshell allows a threat actor to gain persistent access on a compromised device, Adair said.
There is also an additional endpoint for authentication bypass on older versions of Ivanti Connect Secure, Assetnote research found.
Ivanti is working closely with Mandiant to respond to the threat activity and is developing an initial version of a patch that will not be ready until next week.
