Two critical Ivanti vulnerabilities that remain unpatched are being widely exploited just five days following public disclosure.
In a security advisory Wednesday, Ivanti urged users and administrators to mitigate two zero-day vulnerabilities that affect Ivanti Policy Secure and Ivanti Connect Secure.
The advisory noted that the first round of patches would not be available until Jan. 22, with the second beginning on Feb. 19, but exploitation had already begun.
Volexity, which reported the flaws to Ivanti, detected exploitation connected to a Chinese nation-state threat actor it tracks as UTA0178.
Ivanti confirmed that fewer than 10 customers were compromised as of Jan. 11.
Volexity published a blog post Monday that revealed exploitation has quickly become widespread, with the threat extending beyond UTA0178.
Affected customers range from small businesses to Fortune 500 companies and include global government and military departments, national telecommunications companies and defense contractors, according to Volexity.
Additional sectors include technology, finance and aerospace.
Volexity, as well as Mandiant, tracked the earliest exploitation of CVE-2024-21887 and CVE-2023-46805 to early December.
At the time of disclosure, exploitation was limited to a small number of organizations, the company said.
While it was difficult to determine whether the activity originated from an attacker or a security researcher, multiple organizations reported suspicious ICS VPN logs to Volexity on the same day.
Investigations confirmed what Volexity and Mandiant discovered last week - attackers deployed backdoor malware to maintain access even after patches are released.
Log analysis revealed that other attackers have attempted to exploit vulnerable devices as well, including a different threat actor tracked as UTA0188.
No public information was disclosed for the threat actor, but Volexity said it shared threat intelligence to its customers.
In addition to monitoring its customers for exploitation, Volexity also developed a scanning tool to search for signs of compromised devices.
Volexity also warned that exploitation likely extends beyond the 1,700 devices it detected.
Its scanning capabilities did not work for organizations that were taken offline or had deployed Ivanti's mitigations, which included several recommendations.
After observing threat actors attempting to manipulate its internal Integrity Checker Tool, Ivanti added a new feature and advised customers to run the external ICT, for example.
Ivanti confirmed that it observed a sharp increase in threat activity and security researcher scans related to the vulnerabilities since Wednesday.
Arielle Waldman is a Boston-based reporter covering enterprise security news.
This Cyber News was published on www.techtarget.com. Publication date: Tue, 16 Jan 2024 20:13:05 +0000