Malicious hackers have begun mass exploiting two critical zero-day vulnerabilities in Ivanti’s widely used enterprise VPN appliance.
That’s according to cybersecurity firm Volexity, which first reported last week that Chinese-backed hackers were exploiting the two unpatched flaws in Ivanti Connect Secure — tracked as CVE-2023-46805 and CVE-2024-21887 — break into customer networks and steal information. At the time, Ivanti said it knew of “fewer than 10 customers” affected by the zero-day flaws, which were described as such since Ivanti didn’t have time to fix the flaws before they were exploited.
In an updated blog post published on MondayVolexity says it now has evidence of mass exploitation.
According to Volexity, more than 1,700 Ivanti Connect Secure devices worldwide have been deployed so far, impacting organizations in the aerospace, banking, defense, government and telecommunications industries.
“Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including many Fortune 500 companies across multiple industries,” Volexity said. The security firm’s researchers added that Ivanti VPN devices were “indiscriminately targeted,” with corporate victims around the world.
But Volexity notes that the number of compromised organizations is likely to be much higher. Shadowserver Foundation non-profit security threat detector has data showing more than 17,000 Ivanti VPN devices visible online worldwide, including more than 5,000 devices in the United States.
Ivanti confirmed in its updated opinion on Tuesday that its own findings are “consistent” with Volexity’s new observations, and that the massive breaches appear to have started on January 11, a day after Ivanti’s vulnerabilities were disclosed. In a statement provided through PR agency MikeWorldWide, Ivanti told TechCrunch that it had “seen a spike in threat actor activity and security researcher scans.”
When reached Tuesday, Volexity spokeswoman Kristel Faris told TechCrunch that the security firm is in contact with Ivanti, which is “responding to an increase in support requests as quickly as possible.”
Despite the massive exploit, Ivanti has yet to release patches. Ivanti said it plans to release fixes on an “incremental” basis starting the week of January 22. Meanwhile, Administrators are advised to implement mitigation measures provided by Ivanti to all affected VPN devices on their network. Ivanti recommends that administrators reset passwords and API keys and revoke and reissue any certificates stored on the affected devices.
No ransomware… yet
Volexity initially attributed the exploit of the two Ivanti zero-days to a Chinese-backed hacking group that goes by the name UTA0178. Volexity said it had evidence of an exploit as early as December 3.
Mandiant, where it is also monitors the exploitation of Ivanti vulnerabilitiessaid it has not linked the exploit to a previously known hacking group, but said its findings — combined with Volexity — lead Mandiant to attribute the hacks to “an espionage-motivated APT campaign,” suggesting involvement with its support government.
Volexity he said this week that he has seen additional hacking groups — specifically one he calls UTA0188 — exploiting the flaws to compromise vulnerable devices, but declined to share additional details about the group — or their motivations — when asked by TechCrunch.
Volexity told TechCrunch that it has seen no evidence that ransomware is involved in the mass attacks at this point. “However, we fully expect this to happen if the proof-of-concept code is made public,” Faris added.
Security researchers have has already pointed out the existence of proof-of-concept code able to take advantage of Ivanti’s zero days.
