Infoseccers think attackers backed by China are behind Ivanti zero-day exploits

Infoseccers think attackers backed by China are behind Ivanti zero-day exploits

January 11, 2024 at 10:28AM

Chinese nation-state attackers have been exploiting two zero-day vulnerabilities in Ivanti’s security products, particularly affecting Ivanti Connect Secure (ICS) and Policy Secure. The US Cybersecurity and Infrastructure Security Agency (CISA) has advised users to apply the current workaround. Ivanti’s patches for the vulnerabilities are staggered, and organizations are urged to apply the available mitigations. Volexity recommends methods for detecting malicious activity. The attackers, tracked as UTA0178, are suspected to be a nation-state operation based in China, with motives possibly focused on espionage and intellectual property theft.

The meeting notes discuss a serious security concern regarding zero-day vulnerabilities in Ivanti’s security products, particularly affecting the VPN service Ivanti Connect Secure (ICS) and network access control toolkit Policy Secure. These vulnerabilities are actively being exploited by attackers, including an unknown group referred to as UTA0178. The attackers are using a combination of CVE-2023-46805 and CVE-2024-21887 to gain unauthorized access and execute arbitrary commands on affected systems.

Given the severity of the situation, the US Cybersecurity and Infrastructure Security Agency (CISA) has mandated all federal civilian executive branch (FCEB) agencies to apply the patches within three weeks. While Ivanti is working on developing patches, they will be released on a staggered schedule, with the first batch expected to be available the week commencing January 22 and the last batch expected in the week starting February 19. In the meantime, customers are encouraged to apply the available mitigation, which involves importing the mitigation.release.20240107.1.xml file via the customer download portal.

To detect malicious activity, Volexity recommends using network traffic analysis, VPN device log analysis, and Ivanti’s ICT tool. However, the attackers have been observed deleting logs, making it challenging to detect potential compromises solely through VPN device log analysis.

The attackers’ motive remains unclear, but UTA0178 is believed to be a nation-state operation based in China. It’s speculated that the primary goal of the attacks is reconnaissance and exploration, potentially linked to espionage and intellectual property theft.

Overall, this situation is of critical importance, and it is essential for users and administrators of the affected Ivanti products to apply the recommended patches and mitigation strategies to prevent potential exploitation by attackers.

Full Article