Security company Censys has discovered that hackers allegedly working for the Chinese government are massively exploiting critical vulnerabilities in Ivanti’s virtual private networks (VPNs), gaining full control of devices.
According to Censys, out of 26 thousand devices connected to the Internet, 492 VPN Ivanti remained infected in countries around the world, including the United States (121 devices), Germany (26), South Korea (24) and China (21). The largest number of infected devices were found in the Microsoft cloud service (13), followed by the Amazon (12) and Comcast (10) cloud environments.
Censys researchers conducted a secondary scan of Ivanti Connect Secure servers and found 412 unique hosts with a backdoor, as well as 22 different malware variants, which could indicate multiple attackers or one changing their tactics.
We are talking about two zero-day vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure web components of all supported versions (9.x, 22.x):
CVE-2023-46805 (CVSS Score: 8.2): Authentication Bypass Vulnerability – Allows a remote attacker to access restricted resources by bypassing security checks.
CVE-2024-21887 (CVSS Score: 9.1): Command Injection Vulnerability – Allows an authenticated attacker to send specially crafted requests and execute arbitrary commands on a device.
Attackers use exploits to install multiple backdoors that collect as many credentials as possible from various employees and devices on the infected network, and also allow movement through the network. Despite the use of malware, cybercriminals primarily use the Living off the Land (LotL) approach, which abuses legitimate software and tools while evading detection.
According to Censys, the company’s evidence suggests that cybercriminals are motivated by espionage goals. This theory matches recent reports from Volexity and Mandiant. Volexity researchers speculate that the threat comes from a “Chinese state attacker” UTA0178. Mandiant, which tracks the group as UNC5221, says the group’s methods indicate an Advanced Persistent Threat (APT).
All federal agencies have been directed to take measures to prevent exploitation of the vulnerabilities. Ivanti has not yet released patches to address the vulnerabilities. Until updates are available, CISA and security companies strongly encourage affected users to follow Ivanti’s mitigation and system recovery recommendations. According to the company, the fixes will be released gradually, with the first version available to customers on January 22 and the final version on February 19.
The massive hack began on January 11, the day after Ivanti disclosed the vulnerabilities. The bugs are especially dangerous due to their impact, the widespread distribution of systems, and the difficulty of mitigating the effects, especially given the lack of an official fix from the manufacturer.
Detailed descriptions of malware behavior and infection detection methods are provided in Volexity and Mandiant studies. Given the severity of the vulnerabilities and the impact of their exploitation, all users of the affected products should take steps to mitigate the threat as soon as possible, even if this means temporarily suspending the use of VPNs.
We See What Others Cannot