January 12, 2024 at 09:18AM
Suspected nation-state actors exploited two zero-day vulnerabilities in Ivanti Connect Secure VPN, deploying multiple malware families to gain backdoor access to devices. The attacks, attributed to a Chinese espionage actor, targeted less than 10 customers and are expected to be highly-targeted. Patches are anticipated on January 22. Mandiant identified the threat actor as UNC5221.
Key takeaways from the meeting notes:
1. A series of sophisticated cyber attacks were identified, targeting Ivanti Connect Secure (ICS) VPN appliances.
2. As many as five different malware families, including web shells, credential stealers, and backdoors, were utilized by the threat actors to gain unauthorized access and maintain a persistent presence.
3. The attacks leveraged two zero-day vulnerabilities, an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887).
4. The threat actors, identified as UNC5221, have been attributed to sophisticated and persistent espionage activities, with a focus on maintaining access on high priority targets despite the release of forthcoming patches.
5. The attacks appear highly targeted, impacting less than 10 customers.
6. Patches for the vulnerabilities, informally called ConnectAround, are expected to become available in the week of January 22.
These takeaways highlight the severity and sophistication of the cyber attacks and the need for immediate action to address the vulnerabilities and mitigate potential risks.