The US National Security Agency has confirmed that hackers exploiting flaws in Ivanti’s widely used enterprise VPN appliance have targeted organizations across the US defense sector.
NSA spokesman Edward Bennett confirmed in a statement emailed to TechCrunch on Friday that the US intelligence agency, along with its interagency counterparts, “are monitoring and aware of the broad impact from the recent exploitation of Ivanti products . [sic] The defense sector of the USA”.
“THE [NSA’s] The Cybersecurity Collaborating Center continues to work with our partners to identify and mitigate this activity,” the spokesperson added.
Confirmation that the NSA is monitoring these cyberattacks comes days after Mandiant reported that suspected Chinese espionage hackers made “massive efforts” to exploit multiple vulnerabilities affecting Ivanti Connect Secure, the popular VPN remote access software used by thousands of companies and large organizations worldwide.
Mandiant said earlier this week that China-backed hackers tracking as a threat group it calls UNC5325 had targeted organizations across industries. That includes the U.S. Defense Industrial Base sector, a global network of thousands of private sector organizations that provide equipment and services to the U.S. military, Mandiant said. citing previous findings by security company Volexity.
In its analysis, Mandiant said UNC5325 demonstrates “significant knowledge” of the Ivanti Connect Secure device and has used off-the-ground techniques – the use of legitimate tools and features already found on the targeted system – to better evade detection, Mandiant he said. China-backed hackers have also developed new malware “to remain embedded in Ivanti devices, even after factory resets, system upgrades and patches.”
That’s it reiterated in an advisory published by the US cybersecurity agency CISA on Thursday, which warned that hackers exploiting vulnerable Ivanti VPN devices may be able to maintain root stability even after performing factory resets. The federal cybersecurity agency said its own independent testing showed that successful attackers are capable of tricking Ivanti’s Integrity Check Tool, which can lead to a “compromise detection failure.”
In response to CISA’s findings, Ivanti’s field information security manager Mike Riemer played down CISA’s findings, telling TechCrunch that Ivanti doesn’t believe CISA’s tests would work against a live customer environment. Riemer added that Ivanti “is not aware of any successful persistence of the threat agent after applying Ivanti’s recommended security updates and factory resets.”
It remains unknown exactly how many Ivanti customers are affected by the widespread exploitation of the Connect Secure vulnerabilities, which began in January.
Akamai said in an analysis published last week that hackers launch approximately 250,000 exploit attempts each day and have targeted more than 1,000 customers.
