January 12, 2024 at 09:25PM
Mandiant’s threat intel team identified two zero-day bugs in Ivanti products that were under attack by cyberspies as early as December. Ivanti has disclosed the vulnerabilities in their products and is working on rolling out patches while urging customers to immediately deploy mitigations. The situation is particularly concerning as the flaws can lead to unauthenticated remote code execution.
Based on the provided meeting notes, the key takeaways are as follows:
– Two zero-day bugs in Ivanti products were targeted by cyberspies as early as December, which has led to compromised devices and potential access to victims’ networks.
– These vulnerabilities include an authentication bypass bug (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887).
– Ivanti plans to release patches for these flaws starting the week of January 22 and is urging customers to immediately deploy mitigations.
– The number of impacted customers is increasing, and more organizations are expected to discover compromise as they run Ivanti’s integrity checking tool.
– Mandiant and Ivanti are collaborating to address the situation, with Mandiant identifying in-the-wild abuse of the bugs by a suspected espionage team (UNC5221).
– The attackers primarily used hijacked Cyberoam VPN appliances as command-and-control servers, with indications of China link, although attribution is still unclear.
– The threat actors employed various custom malware families to achieve persistence and evade detection, including Zipline, Thinspool, Wirefire, and Warpwire.
– Mandiant has shared indicators of compromise and has emphasized the importance of applying mitigations promptly.
I hope this summary effectively captures the key points from the meeting notes. Let me know if there’s anything else you need.