Ivanti Connect Secure zero-days now under mass exploitation

Ivanti Connect Secure zero-days now under mass exploitation

January 15, 2024 at 08:07PM

Volexity discovered mass exploitation of two zero-day vulnerabilities affecting Ivanti’s Connect Secure VPN and Policy Secure NAC appliances. The attacks by multiple threat groups have targeted organizations worldwide, including Fortune 500 companies and government departments. Mitigation measures and a list of malicious tools used in the attacks have been provided.

From the provided meeting notes, the key takeaways are:

– Two zero-day vulnerabilities affecting Ivanti’s Connect Secure VPN and Policy Secure network access control (NAC) appliances are being exploited by multiple threat groups since January 11.
– Victims of the attacks are globally distributed and include organizations of various sizes and industries, including government and military departments, national telecommunications companies, defense contractors, technology companies, banking and finance organizations, consulting firms, and aerospace and engineering firms.
– More than 1,700 ICS VPN appliances have been compromised with a webshell variant called GIFTEDVISITOR, and over 16,800 ICS VPN appliances are exposed online.
– Ivanti is yet to release patches for the zero-day vulnerabilities, and admins are advised to apply vendor-provided mitigation measures, run Ivanti’s Integrity Checker Tool, and consider all data on the ICS VPN appliance as compromised if signs of a breach are found.
– Multiple state-backed threat actors are involved in the attacks, with Mandiant identifying five custom malware strains deployed on breached systems.
– The list of tools used in the attacks includes ZIPLINE, Thinspool Dropper, Wirefire web shell, Lightwire web shell, Warpwire harvester, PySoxy tunneler, BusyBox, and Thinspool utility.

These takeaways highlight the severity of the situation and the urgent need for organizations to take mitigation actions to protect their systems from these actively exploited vulnerabilities and attacks.

Full Article