Global Networks Under Threat as Hackers Exploit Ivanti VPN Vulnerabilities
A coordinated cyber attack is currently exploiting critical vulnerabilities in virtual private network (VPN) appliances manufactured by Ivanti. Security researchers have raised alarms over the mass exploitation, which is suspected to be orchestrated by hackers linked to the Chinese government.
Extent of the Ivanti VPN Exploit
As reported by security firm Censys, out of 26,000 Ivanti VPN devices exposed to the Internet, 492 remain infected as of Tuesday morning. The United States hosts the majority of these compromised VPNs, with 121 devices affected. Germany, South Korea, and China follow, with 26, 24, and 21 infected devices, respectively. Microsoft’s cloud service tops the list of hosting environments for these infected devices, followed by Amazon and Comcast.
The Motive Behind the Attacks
Censys researchers, in their analysis, indicate that espionage is the likely motive behind these cyber attacks. This aligns with recent findings from other security firms like Volexity and Mandiant. Volexity researchers have identified the threat actor, referred to as UTA0178, as a probable Chinese nation-state-level actor. Similarly, Mandiant’s research, identifying the group as UNC5221, suggests the attacks are part of a broader espionage-motivated campaign.
Government and Industry Response
In response to these threats, all civilian governmental agencies have been mandated to take corrective actions. The Cybersecurity and Infrastructure Security Agency (CISA) set a deadline for Federal Civilian Executive Branch agencies to comply with these directives. Meanwhile, Ivanti, the VPN manufacturer, has not yet released patches for these vulnerabilities. In the interim, Ivanti, along with CISA and security companies, are advising affected users to implement mitigation and recovery guidance. This includes measures to block exploitation and steps to rebuild and upgrade systems if exploitation is detected.
The Severity of the Threat
The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, allow attackers to execute code remotely on servers. All supported versions of Ivanti Connect Secure, formerly known as Pulse Secure, are susceptible. The ongoing attacks install malware that acts as a backdoor, enabling hackers to harvest credentials and explore the infected network. The attackers are primarily using a tactic known as “living off the land,” leveraging legitimate software and tools to evade detection.
Expert Advice and Mitigation Steps
Security experts emphasize the critical nature of these vulnerabilities and urge all users of affected Ivanti products to prioritize mitigation. This may necessitate temporarily suspending VPN services. For detailed descriptions of the malware behavior and detection methods, security firms Volexity and Mandiant have published extensive reports.
Conclusion
The mass exploitation of Ivanti VPNs poses a significant threat to global networks, highlighting the need for immediate and effective cybersecurity measures. With the absence of an official patch from Ivanti, organizations are advised to follow the issued guidelines to protect their networks and prevent further intrusions.