Ivanti has finally begun patching a pair of zero-day security vulnerabilities disclosed on Jan. 10 in its Connect Secure VPN appliances.
It also announced two additional bugs today in the platform, CVE-2024-21888 and CVE-2024-21893 - the latter of which is also under active exploitation in the wild.
Ivanti has released its first round of patches for the original set of zero-days but only for some versions; additional fixes will roll out on a staggered schedule in the coming weeks, the company said in its updated advisory today.
In the meantime, Ivanti has provided a mitigation that unpatched organizations should apply immediately to avoid falling victim to mass exploitation by Chinese state-sponsored actors and financially motivated cybercriminals alike.
According to Mandiant, a China-backed advanced persistent threat it calls UNC5221 has been behind reams of exploitations going back to early December.
Activity in general has ramped up considerably since CVE-2024-21888 and CVE-2024-21893 were made public earlier in January.
A variant of the LightWire Web shell that inserts itself into a legitimate component of the VPN gateway, now featuring a different obfuscation routine.
ZipLine, a passive backdoor used by UNC5221 that uses a custom, encrypted protocol to establish communications with command-and-control.
Its functions include file upload and download, reverse shell, proxy server, and a tunneling server.
New variants of the WarpWire credential-theft malware, which steals plaintext passwords and usernames for exfiltration to a hard-coded C2 server.
Mandiant does not attribute all of the variants to UNC5221.
Multiple open source tools to support post-exploitation activities like internal network reconnaissance, lateral movement, and data exfiltration within a limited number of victim environments.
Ivanti and CISA released updated mitigation guidance yesterday that organizations should apply.
Two Fresh High-Severity Zero-Day Bugs In addition to rolling out patches for the three-week-old bugs, Ivanti also added fixes for two new CVEs to the same advisory.
CVE-2024-21888: A privilege escalation vulnerability in the Web component of Ivanti Connect Secure and Ivanti Policy Secure, allowing cyberattackers to gain administrator privileges.
Researchers also warn that the result of a compromise can be dangerous for organizations.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 31 Jan 2024 20:35:18 +0000