Global Networks Under Threat as Ivanti VPNs Exploited by Suspected Chinese State Hackers
Security experts have sounded the alarm over an ongoing mass exploitation of critical vulnerabilities affecting Ivanti virtual private network (VPN) appliances, with hackers believed to be associated with the Chinese government gaining full control over these devices. As of Tuesday, Censys, a cybersecurity firm, identified 492 infected Ivanti VPNs among 26,000 exposed devices worldwide. The United States had the highest concentration of compromised VPNs, with 121 affected systems, followed by Germany (26), South Korea (24), and China (21).
The majority of infected devices were hosted on Microsoft’s customer cloud service (13), with Amazon’s cloud environments (12) and Comcast (10) following closely behind.
Researchers from Censys revealed that a secondary scan detected 412 unique hosts with the backdoor, along with 22 distinct “variants” or unique callback methods, indicating potential multiple attackers or evolving tactics by a single threat actor.
Evidence suggests that the motive behind these attacks is likely espionage, in line with reports from security firms Volexity and Mandiant. The threat actor has been identified as UTA0178 (Volexity) and UNC5221 (Mandiant), both associated with espionage-motivated advanced persistent threat (APT) campaigns.
To mitigate the threat, all civilian governmental agencies have been instructed to take corrective actions. Federal Civilian Executive Branch agencies had until a specific deadline to comply with the mandate, while Ivanti has yet to release patches for the vulnerabilities. In the absence of official patches, Ivanti, CISA, and security firms advise affected users to follow mitigation and recovery guidance provided by Ivanti. This includes preventative measures to block exploitation and instructions for system rebuilding and upgrading if exploitation is detected.
The severity and widespread exposure of these vulnerabilities, alongside the lack of an official patch, have raised concerns in the cybersecurity community. Ivanti initially disclosed the vulnerabilities on January 10, promising to release patches in stages, starting this week. However, no public statement has been made since confirming the patch schedule.
VPN appliances are a prime target for hackers because they are continuously active and situated at the network’s edge, accepting incoming connections. Once compromised, hackers can use the VPNs to expand their presence within the network, potentially leading to widespread infiltration. The exploited vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, enable remote code execution on servers and affect all supported versions of Ivanti Connect Secure (ICS), formerly known as Pulse Secure.
Attackers leverage these exploits to install malware, acting as a backdoor, which is then used to harvest credentials from employees and devices on the compromised network. Importantly, the attackers primarily employ a tactic called “living off the land,” using legitimate software and tools to evade detection.
Given the severity of the situation, all users of affected products are strongly urged to prioritize vulnerability mitigation, even if this means temporarily suspending VPN usage to safeguard their networks.