January 12, 2024 at 10:36AM
Hackers have been exploiting two zero-day vulnerabilities in Ivanti Connect Secure since early December, deploying multiple malware families for espionage. The vulnerabilities, CVE-2023-46805 and CVE-2024-21887, bypass authentication and inject arbitrary commands. Attackers targeted a small number of Ivanti customers. The threat actor, tracked as UNC5221, used various custom malware and compromised VPN appliances for continued access. No attribution to any known threat groups was made. Admins should implement Ivanti’s provided mitigations immediately.
From the meeting notes, it is clear that there has been exploitation of two zero-day vulnerabilities in Ivanti Connect Secure. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, allow attackers to bypass authentication and inject arbitrary commands on vulnerable systems. The threat actor behind the attacks, tracked as UNC5221, has been engaged in espionage and has been deploying multiple families of custom malware for these purposes. A report from Mandiant revealed the tools used in the attacks, including custom malware such as Zipline Passive Backdoor, Thinspool Dropper, Wirefire web shell, and others.
It is concerning that the threat monitoring service Shadowserver has detected 17,100 Ivanti CS appliances on the public web, with a large number of them in the United States. However, it is unclear how many of these are vulnerable. Additionally, Mandiant found that the attackers used compromised Cyberoam VPN appliances as command and control (C2) servers to evade detection.
Although it has been suggested that Chinese state-sponsored threat actors may be involved, the origin or affiliation of the threat actor UNC5221 remains unconfirmed. Despite this, the threat actor’s use of custom malware indicates an intention to maintain access to high-priority targets even after a patch becomes available.
It is important for system administrators to note that there is currently no security update addressing the zero-day vulnerabilities, but Ivanti provides mitigations that should be implemented immediately to protect vulnerable systems.