Over 1,700 Ivanti Connect Secure VPN devices worldwide have been compromised by attackers exploiting two zero-days with no patches currently available.
Both Volexity and Ivanti revealed on January 10 that unknown attackers have been leveraging exploits for CVE-2023-46805 and CVE-2024-21887 to breach organizations and ultimately place webshells on their internal and external-facing web servers.
The attacks have been going on since early December.
Organizations using Ivanti Connect Secure VPN devices were advised to implement temporary mitigations as soon as possible, check for evidence of compromise, and to boot attackers out of their systems in case they had been breached.
Mandiant incident responders shared indicators of compromise for the custom malware used by the threat actors, which are tracked by Volexity under the alias UTA0178 and are believed to be China-sponsored hackers engaged in cyber espionage.
Volexity says that soon after they went public with the information, they began to detect evidence of widespread scanning by someone apparently familiar with the vulnerabilities, as well receiving reports from multiple organizations that noticed their devices had been compromised on January 11, 2024.
Those devices had been backdoored with a variant of the GIFTEDVISITOR webshell used in previously detected incidents.
The company then developed a new method of scanning for evidence of this webshell on Ivanti Connect Secure VPN devices appliances, and scanned roughly 30,000 ICS IP addresses.
Organizations that use Ivanti Connect Secure VPN devices and Ivanti's Policy Secure NAC solution are still urged to implement the proffered mitigation release until patches are made available.
The company has provided a guide for responding to discovered compromise.
Ivanti has also published up-to-date recovery guidance.
Rapid7 has released a thorough technical analysis of how the two vulnerabilities can be exploited.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 16 Jan 2024 15:58:05 +0000