Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Used in Ivanti Zero-Day Attacks Shows Hackers Preparing for Patch Rollout

Ivanti zero-day vulnerabilities dubbed ConnectAround could impact thousands of systems and Chinese cyberspies are preparing for patch release.

Ivanti zero-day

The recently discovered Ivanti Connect Secure zero-day vulnerabilities could impact thousands of systems and the threat actors caught exploiting them appear to have been preparing for the release of patches.

Threat intelligence and incident response firm Volexity warned on January 10 that it had seen threat actors likely connected to China — tracked by the company as UTA0178 — exploiting two previously unknown vulnerabilities in Ivanti Connect Secure (ICS) VPN devices to gain access to internal networks, with the goal of stealing valuable data.

According to Volexity and Ivanti, the attackers exploited an authentication bypass flaw tracked as CVE-2023-46805 and a command injection issue identified as CVE-2024-21887. Chaining the two security holes enables a remote, unauthenticated attacker to execute arbitrary commands on appliances.

Ivanti rushed to come up with mitigations against exploitation of the zero-days, but patches are only expected to become available in the week of January 22. The vendor noted that Connect Secure was formerly known as Pulse Connect Secure and Ivanti Policy Secure.

The US cybersecurity agency CISA has added the two zero-days to its known exploited vulnerabilities catalog, instructing government agencies to take action by January 31. 

Rapid7 noted that there appear to be more than 7,000 internet-exposed instances that could be vulnerable to attacks, a majority located in the United States, Japan and Europe.

Mandiant has also conducted an analysis of attacks involving CVE-2023-46805 and CVE-2024-21887. The company tracks the threat actor as UNC5221, but has not released any information on attribution and, unlike Volexity, it has refrained from linking it to the Chinese government. The company did, however, confirm that the likely goal appears to be espionage. 

In its analysis, Mandiant describes five malware families deployed by the hackers. The custom malware observed in the attacks is tracked by Mandiant as ThinSpool, LightWire, WireFire, WarpWire and ZipLine. 

Advertisement. Scroll to continue reading.

These pieces of malware are webshells, droppers, backdoors and information stealers. Mandiant believes they have been used as part of a targeted operation, with the attackers taking steps to maintain access to high-value compromised systems even after the release of patches by Ivanti.

“Mandiant has determined that ThinSpool acts as a key tool for both persistence and detection evasion, in addition to being the initial dropper for the LightWire web shell used by UNC5221 for post-exploitation activity. The LightWire and WireFire web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances,” Mandiant said. 

It added, “This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released. Additionally, the WarpWire Javascript credential stealer may also enable further access to accounts for lateral movement or espionage by capturing plaintext login credentials.”

Both Ivanti and Mandiant noted that CVE-2023-46805 and CVE-2024-21887 have been exploited in attacks since at least December 2023. 

Security researcher Kevin Beaumont, who named the vulnerabilities ConnectAround, said there will likely be more victims, but noted that many organizations don’t have the capabilities and resources to detect exploitation and respond to such attacks. 

It’s not uncommon for Ivanti product zero-day vulnerabilities to be exploited in attacks targeting important organizations.

Related: Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks

Related: Exploitation of Ivanti Sentry Zero-Day Confirmed

Related: Ivanti Ships Urgent Patch for API Authentication Bypass Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.