Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Patch Management
Ivanti Discloses Additional Zero-Day That Is Being Exploited
Company Starts Patch Rollout for Flaws Exploited by Likely Chinese Intelligence OpCorporate VPN maker Ivanti on Wednesday began a belated patch rollout for zero-day flaws that multiple cybersecurity firms say paved the way for an espionage hacking operation likely conducted by China.
Ivanti also disclosed two more gateway zero-day flaws and told customers that hackers are actively exploiting one of them.
The patch, which also fixes the newly disclosed vulnerabilities, is for some versions of Connect Secure, one of two Ivanti gateways affected by the original set of zero-days. The other is Policy Secure, and the new flaws also affect versions of Ivanti Neurons for ZTA.
The company is staggering its patch release schedule since it is "releasing patches for the highest number of installs first and then continuing in declining order," it told customers.
The company recommended that customers reset their appliances to factory settings before applying the patch "to prevent the threat actor from gaining upgrade persistence in your environment."
The two new flaws are CVE-2024-21888, which allows for privilege escalation, and CVE-2024-21893, a server-side request forgery vulnerability residing in an SAML component.
"There is no evidence that hackers have exploited" the privilege escalation zero-day "and we are aware of a limited number of customers impacted by CVE-2024-21893," the company said. That limited number is likely to increase, it warned, now that the vulnerability is public. "Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation," it said.
For customers without an available patch, Ivanti suggested applying mitigation steps downloadable as an XML file.
The two vulnerabilities announced earlier this month, tracked as CVE-2023-46805 and CVE-2024-21887, allow threat actors to establish persistent system access and move laterally across a target network while performing data exfiltration operations. Research suggests that as of mid-January, more than 2,100 Ivanti appliances worldwide have been compromised with a web shell backdoor. Known victims include Fortune 500 companies, governments and a variety of sectors, including defense, finance, technology and consulting.
Cybersecurity firm Volexity, which on Jan. 10 published details about the flaws, said it suspected the culprits were Chinese state attackers.
Threat intelligence firm Mandiant published similar findings Wednesday, saying that the threat actor who exploited the vulnerabilities as early as Dec. 3 appears to have a connection to Chinese intelligence. The threat actor, which Mandiant tracks as UNC5221, has a history of hacking targets of strategic interest to Beijing. "Early indications show that tooling and infrastructure overlap with past intrusions attributed to suspected China-based espionage actors," the company said.