The recently discovered Ivanti Connect Secure zero-day vulnerabilities could impact thousands of systems and the threat actors caught exploiting them appear to have been preparing for the release of patches.
Threat intelligence and incident response firm Volexity warned on January 10 that it had seen threat actors likely connected to China — tracked by the company as UTA0178 — exploiting two previously unknown vulnerabilities in Ivanti Connect Secure (ICS) VPN devices to gain access to internal networks, with the goal of stealing valuable data.
According to Volexity and Ivanti, the attackers exploited an authentication bypass flaw tracked as CVE-2023-46805 and a command injection issue identified as CVE-2024-21887. Chaining the two security holes enables a remote, unauthenticated attacker to execute arbitrary commands on appliances.
Ivanti rushed to come up with mitigations against exploitation of the zero-days, but patches are only expected to become available in the week of January 22. The vendor noted that Connect Secure was formerly known as Pulse Connect Secure and Ivanti Policy Secure.
The US cybersecurity agency CISA has added the two zero-days to its known exploited vulnerabilities catalog, instructing government agencies to take action by January 31.
Rapid7 noted that there appear to be more than 7,000 internet-exposed instances that could be vulnerable to attacks, a majority located in the United States, Japan and Europe.
Mandiant has also conducted an analysis of attacks involving CVE-2023-46805 and CVE-2024-21887. The company tracks the threat actor as UNC5221, but has not released any information on attribution and, unlike Volexity, it has refrained from linking it to the Chinese government. The company did, however, confirm that the likely goal appears to be espionage.
In its analysis, Mandiant describes five malware families deployed by the hackers. The custom malware observed in the attacks is tracked by Mandiant as ThinSpool, LightWire, WireFire, WarpWire and ZipLine.
These pieces of malware are webshells, droppers, backdoors and information stealers. Mandiant believes they have been used as part of a targeted operation, with the attackers taking steps to maintain access to high-value compromised systems even after the release of patches by Ivanti.
“Mandiant has determined that ThinSpool acts as a key tool for both persistence and detection evasion, in addition to being the initial dropper for the LightWire web shell used by UNC5221 for post-exploitation activity. The LightWire and WireFire web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances,” Mandiant said.
It added, “This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released. Additionally, the WarpWire Javascript credential stealer may also enable further access to accounts for lateral movement or espionage by capturing plaintext login credentials.”
Both Ivanti and Mandiant noted that CVE-2023-46805 and CVE-2024-21887 have been exploited in attacks since at least December 2023.
Security researcher Kevin Beaumont, who named the vulnerabilities ConnectAround, said there will likely be more victims, but noted that many organizations don’t have the capabilities and resources to detect exploitation and respond to such attacks.
It’s not uncommon for Ivanti product zero-day vulnerabilities to be exploited in attacks targeting important organizations.
Related: Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks
Related: Exploitation of Ivanti Sentry Zero-Day Confirmed
Related: Ivanti Ships Urgent Patch for API Authentication Bypass Vulnerability