January 19, 2024 at 06:12AM
The US security agency CISA warns of increasing exploitation of two Ivanti Connect Secure VPN vulnerabilities by a Chinese cyberespionage group, compromising over 2,100 devices belonging to various organizations. Additionally, a separate Ivanti product flaw is being exploited. Patches have been released with mitigations, but widespread exploitation continues, including new attempts to bypass security measures.
From the meeting notes, the key takeaways are:
– There is an increasing number of Ivanti Connect Secure VPN appliances compromised due to the exploitation of two recently disclosed vulnerabilities, with over 2,100 devices reported as compromised.
– The compromised appliances are primarily from government, military, defense, telecoms, tech, financial, consulting, engineering, aerospace, and aviation organizations, including Fortune 500 companies in the US and Europe.
– Various threat groups, including profit-driven cybercriminals, are exploiting the vulnerabilities to deploy malware and cryptocurrency miners.
– A cyberespionage group linked to China (UTA0178) was observed exploiting two Ivanti VPN zero-day vulnerabilities.
– Ivanti has released mitigations for the vulnerabilities, with patches expected to be available next week.
– Evidence suggests that the Chinese threat group has taken measures to maintain access to high-value systems even after Ivanti’s patches have been released.
– Additionally, there are attempts to bypass the Integrity Checker Tool shipped by Ivanti with its products by the threat actor.
– A new authentication bypass bug affecting Ivanti’s Endpoint Manager Mobile (EPMM) product (CVE-2023-35082) has been added to CISA’s known exploited vulnerabilities catalog.
These takeaways provide a comprehensive summary of the current situation regarding the exploitation of Ivanti vulnerabilities and the actions being taken to address the issue.