Ivanti VPN Vulnerabilities Seeing ‘Mass Exploitation:’ Researchers

Volexity researchers who first discovered flaws affecting widely used Ivanti VPN devices now say the vulnerabilities are seeing widespread exploitation by multiple threat actors.

In its own update, Ivanti said its findings about attacks against Connect Secure VPN customers are consistent with those of researchers at Volexity.

[Related: 10 Major Cyberattacks And Data Breaches In 2023]

The zero-day vulnerabilities were disclosed by Ivanti on Jan. 10 and do not have patches available. Ivanti has provided mitigation measures for the vulnerabilities.

“We strongly advise all customers to apply the mitigation immediately,” Ivanti said in a statement provided to CRN Tuesday.

The vulnerabilities can be used to enable unauthenticated remote execution of code on affected Connect Secure VPN devices, according to Volexity researchers, who uncovered the flaws in December.

In a new post Monday, Volexity’s research team said it has found evidence suggesting more than 1,700 Ivanti Connect Secure VPN devices have been compromised so far.

The “evidence of mass exploitation” shows that victims are “globally distributed and vary greatly in size,” the researchers wrote.

Victims range “from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” Volexity’s research team wrote in the post.

That’s a substantial increase from Ivanti’s most recent findings, disclosed late last week, of “less than 20” impacted customers.

The attacks are coming from a nation-state threat actor Volexity tracks as UTA0178—which is believed to be working on behalf of China’s government—as well as other threat actors, the researchers said.

“Additional attackers beyond UTA0178 appear to have access to the exploit,” Volexity researchers wrote in the post.

In the latest Ivanti post, the company said it has “confirmed additional customers who were exploited” following its initial advisory last week.

“Based on our ongoing collaboration, we believe this is consistent with Veloxity’s newly released observations,” Ivanti wrote in the post, linking to the Veloxity post from Monday.

Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.

‘Sharp Increase’

Ivanti said in a statement Tuesday that since its initial advisory, “we have seen a sharp increase in threat actor activity and security researcher scans.”

“We are confident that the mitigation blocks access to vulnerable endpoints and that both the internal and external Integrity Checker Tool will identify mismatched files,” the company said in the statement provided to CRN.

Ivanti has said the first patches won’t be available until the week of Jan. 22. Patches will be released on a staggered schedule running through mid-February, the company said.

The authentication bypass vulnerability (tracked at CVE-2023-46805) has been awarded a severity score of 8.2 out of 10.0, while the command injection vulnerability (CVE-2024-21887) has been awarded a severity score of 9.1 out of 10.0.

The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti has said. When used in this way, “exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” the company said.

The vulnerabilities “impact all supported versions” of Connect Secure, Ivanti said. The flaws also impact Ivanti’s Policy Secure gateway, the company said.

Researchers at Google Cloud-owned Mandiant reported last week that exploitation of the Ivanti VPN vulnerabilities began in December, confirming earlier findings on the timing of the attacks by Volexity researchers.

Mandiant researchers have “identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor,” they wrote.

Leave a Reply

Your email address will not be published. Required fields are marked *