Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Ivanti Exploitation More Widespread Than Previously Thought

More Than 1,700 Devices Compromised Worldwide
Ivanti Exploitation More Widespread Than Previously Thought
Pulse Secure headquarters in Silicon Valley before its December 2020 acquisition by Ivanti (Image: Shutterstock)

Estimates of the number of devices affected by a duo of zero-days in a popular corporate VPN made by software developer Ivanti have skyrocketed from fewer than 10 to more than 1,700.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

Ivanti sought last Wednesday to tamp down concerns about likely Chinese nation-state hackers exploiting unpatched flaws by stating it knew of fewer than 10 customers that showed signs of intrusion. The flaws affect the firm's Connect Secure VPN appliance, formerly known as Pulse Secure, and Ivanti Policy Secure (see: Suspected Chinese Hackers Exploit 2 Ivanti Zero-Days).

Cybersecurity firm Volexity, which first published details about the flaws, said in a Monday update that subsequent scanning had revealed evidence of more than 1,700 compromised devices across the globe. Ivanti in a Tuesday update said its own scanning had showed results "consistent with Volexity's newly released observations."

Neither is it only apparent Chinese hackers exploited the flaws, the earliest patches for which won't be available until Jan. 22. Ivanti has detailed mitigation steps, although they only head off future attacks and don't remediate already-compromised devices. The firm is urging customers to run a built-in Integrity Check Tool for log entries indicating mismatched or new files.

"Additional threat actors beyond UTA0178 appear to now have access to the exploit and are actively trying to exploit devices," Volexity wrote, referring to its term for the threat actor that the firm earlier said it has "reason to believe" is a Chinese nation-state-level threat actor.

Victims include Fortune 500 companies and governments, including telecom providers, defense contractors, financial and aerospace sectors, technology and consulting. The flaws are tracked as CVE-2023-46805 and CVE-2024-21887.

Threat intelligence firm Mandiant in a Friday blog post said it can't attribute the initial hackers to any known group. Their targeting of edge infrastructure appliances through zero-day flaws "has been a consistent tactic leveraged by espionage actors," it said.

The Google subsidiary said it has identified five malware families used to exploit Connect Secure and Policy Secure. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.