January 16, 2024 at 05:36AM
Volexity has observed widespread exploitation of two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances by threat actors, including the group UTA0178. These vulnerabilities allow attackers to execute arbitrary commands and compromise internal networks. While the attacks were initially targeted, they have now become widespread, affecting organizations globally, particularly in the United States and Europe. Additional threat actors and malware families have also been identified in these attacks. Mitigations are available, but patches are expected to be released later this month.
According to the meeting notes, there is widespread exploitation of the recently disclosed Ivanti Connect Secure VPN appliance vulnerabilities by threat actors, particularly by a group tracked as UTA0178, likely linked to China. These threat actors have been exploiting two zero-day vulnerabilities, an authentication bypass flaw and a command injection issue, in an attempt to access internal networks and steal information. The compromised devices belong to various organizations in sectors including government, military, telecoms, defense, tech, and finance. Furthermore, it’s noted that the actual number of compromised systems is likely higher than what has been discovered through scans. Mitigations for these vulnerabilities were made available on January 10, but patches are expected to become available starting the week of January 22. Mandiant has also identified five malware families deployed by the hackers and observed indications that the hackers had taken steps to maintain access to high-value systems even after the release of patches.