Skip to main content
close search
site logo
Dive Brief

Mandiant spots advanced exploit activity in Ivanti devices

The incident response firm identified eight threat groups targeting the remote access VPNs and observed evolved post-exploitation activity.

Published April 9, 2024
Matt Kapko's headshot
Senior Reporter
Header image for "56% of Business Leaders Are Incorporating AI Into Cybersecurity: Weekly Stat"
Andrew Brookes

Dive Brief:

  • Ivanti Connect Secure devices were exploited and compromised by more threat groups than previously thought, Mandiant said in research released Thursday.
  • Post-exploitation activity observed by Mandiant includes lateral movement with the aid of open-source tools and multiple custom malware families. 
  • Mandiant said it observed “eight distinct clusters involved in the exploitation of one or more of” Ivanti’s vulnerabilities CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893, which the vendor first disclosed Jan. 10. This includes five China-linked espionage groups and three financially motivated attackers.

Dive Insight:

Mandiant, which is working with Ivanti and some of its customers on incident response and recovery, released its latest research on Ivanti-linked attacks the day after Ivanti CEO Jeff Abbott publicly pledged to overhaul the company’s internal security practices.

“We are actively collaborating with Mandiant and welcome findings that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat,” an Ivanti spokesperson said via email.

The Ivanti vulnerabilities attracted more threat groups than previously reported, aiming to conduct espionage or steal financial assets, Mandiant research illustrates. The findings were based on observations Mandiant since late February, but the activities occurred mid January through February.

Suspected China-linked attackers have advanced their command of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives, Mandiant said in the blog post.

Mandiant attributed a cluster of attempted exploits in February to a group it identifies as UNC5291, also known as Volt Typhoon. “Mandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure,” researchers said in the blog.

The China-linked threat group, which targeted a critical vulnerability in Citrix products in December, has intruded organizations in multiple critical infrastructure sectors in preparation for disruptive attacks.

Another China-linked espionage group Mandiant identifies as UNC5221 remains the only group known to have exploited a pair of Ivanti vulnerabilities starting in early December, before the CVEs were disclosed a month later. Three other China-affiliated espionage groups or clusters have exploited Ivanti VPNs or conducted post-exploitation activities, according to Mandiant.

Researchers at Mandiant said they’ve also observed indications that financially motivated threat groups have begun to exploit a pair of the initial Ivanti zero-day vulnerabilities. The trio of financially motivated attackers are likely seeking to enable cryptocurrency mining related operations, Mandiant said.

Mandiant advised Ivanti customers to run the internal and external integrity checker tool Ivanti released alongside a new patch for all of the vulnerabilities April 3, including four new CVEs Ivanti disclosed Wednesday in a blog post.

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell