Headline
Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
The vulnerabilities in Ivanti VPN devices enable remote, unauthenticated hackers to compromise targeted devices, execute arbitrary commands, infiltrate internal networks, and steal sensitive data.
Threat intelligence firm Volexity has discovered a rise in attacks exploiting two Ivanti zero-day vulnerabilities discovered in the second week of December 2023.
According to Volexity, at least 20 organizations using Ivanti Connect Secure VPN appliances have been compromised in cyberattacks leveraging Ivanti zero-day flaws, CVE-2023-46805 and CVE-2024-21887. Volexity has confirmed with “medium confidence” that the number of compromised systems is likely higher than what it discovered.
The flaws, discovered by Volexity researchers, impacted Ivanti Connect Secure VPN and Policy Secure NAS appliances and were disclosed last week by Avanti.
On January 10, Volexity warned that a group UTA0178, supposedly affiliated with China, exploited these vulnerabilities to gain access to internal networks and steal information. On January 11, the company observed a series of targeted attacks on Ivanti VPN appliances, causing widespread exploitation of these flaws.
For your information, CVE-2023-46805 is an authentication bypass flaw with a CVSS rating of 8.2), impacting Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure. The second flaw, CVE-2024-21887, is a command injection vulnerability with a CVSS score of 9.1, impacting Ivanti Connect Secure 9.x, 22.x, and Ivanti Policy Secure.
If exploited, these allow remote, unauthenticated attackers to compromise targeted devices by executing arbitrary commands, infiltrating internal networks, and stealing sensitive data.
Volexity noted that an unknown APT group launched initial attacks on ICS VPN appliances in December 2023, downloading malware tool kits for espionage. Multiple threat actors have since attacked hundreds of appliances and backdoored targets’ systems using a GIFTEDVISITOR webshell variant.
As of January 14, 2023, over 1,700 ICS VPN appliances were compromised, researchers revealed after scanning 50,000 Ivanti VPN-linked IPs. The highest percentage of victims were found in the US and Europe, impacting small-scale businesses to Fortune 500 companies in government, military, telecom, defence, tech, banking, finance, accounting, aerospace, aviation, and engineering sectors.
Mandiant also observed that a suspected state-sponsored threat actor dubbed UNC5221 leveraged these flaws last month to deploy up to five custom malware families. These include the ZIPLINE backdoor, WARPWIRE credential harvester, THINSPOOL shell script dropper, and LIGHTWIRE web shell.
Mandiant noted in its report that threat actors UNC5221 launched “opportunistic attacks” to maintain persistence on high-priority targets that it had compromised “after a patch was inevitably released.”
Ivanti plans to release patches to fix these flaws by January 22, 2024, with final patches expected on February 19, 2024. A workaround is available to prevent exploitation until the patches are released. Organizations using vulnerable products should implement it immediately.
****RELATED ARTICLES****
- APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
- CACTUS ransomware evades exploits VPN flaws to hack networks
- Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer
- Flashpoint Uncovers 100,000+ Hidden Vulnerabilities, Including Zero-Days
- UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
Related news
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
A newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is already seeing exploitation attempts in the wild shortly after details of the bug were publicly disclosed. The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions - From 2023.0.0 before 2023.0.11 From 2023.1.0 before 2023.1.6, and&
By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE. "CHAINLINE is a Python web shell backdoor that is
By Deeba Ahmed The Ivanti VPN vulnerabilities have plunged into a black hole. This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool. The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused
This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it's being actively exploited in the wild. The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178