The number of Ivanti Connect Secure VPN appliances compromised through the exploitation of two recently disclosed vulnerabilities is increasing, and the US security agency CISA warns that another Ivanti product flaw is being exploited.
Threat intelligence and incident response firm Volexity reported on January 10 that a cyberespionage group linked to China (UTA0178) had been spotted exploiting two Ivanti VPN zero-day vulnerabilities to gain access to internal networks.
The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection flaw (CVE-2024-21887). The vulnerabilities can be chained by a remote, unauthenticated attacker to execute arbitrary commands on the targeted Ivanti VPN appliance.
Ivanti has released mitigations, but patches are only expected to become available starting next week.
While the first attacks appeared highly targeted, widespread exploitation started soon after their existence came to light. Volexity’s initial scans saw 1,700 compromised devices, but the company reported on Thursday that the number had increased to more than 2,100.
The hacked appliances belong to government, military, defense, telecoms, tech, financial, consulting, engineering, aerospace and aviation organizations, including Fortune 500 companies, mostly located in the United States and Europe.
Attacks are being launched by an increasing number of threat groups, including profit-driven cybercriminals, who are using the vulnerabilities to deploy malware and cryptocurrency miners.
Evidence uncovered during the initial analysis of the Chinese threat group’s campaign suggested that the hackers had taken steps to maintain access to high-value systems even after the release of patches by Ivanti.
In addition, Volexity has now seen attempts by the threat actor to bypass the Integrity Checker Tool shipped by Ivanti with its products. The tool helps ensure that no changes have been made to the system, but the attackers are making modifications that cause it to always report that no issues have been detected.
Also on Thursday, CISA added CVE-2023-35082, an authentication bypass bug affecting Ivanti’s Endpoint Manager Mobile (EPMM) product, to its known exploited vulnerabilities catalog.
CVE-2023-35082 came to light in August 2023, being described as a bypass of the fix for CVE-2023-35078, an EPMM vulnerability that was exploited as a zero-day in April 2023 in attacks aimed at the Norwegian government.
There do not appear to be any reports describing attacks that involve exploitation of CVE-2023-35082.
Related: Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks