Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days

Ivanti confirms active zero-day exploits, ships pre-patch mitigations, but says comprehensive fixes won’t be available until January 22.

Ivanti zero-day

Malware hunters at Volexity on Wednesday warned that suspected Chinese nation-state hackers are actively exploiting a pair of unauthenticated remote zero-day vulnerabilities in Ivanti Connect Secure VPN devices.

The vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, affect fully patched Internet-facing Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure) and were caught during in-the-wild zero-day exploitation.

Ivanti, a company that has struggled with major security problems, released pre-patch mitigations for the new vulnerabilities but said comprehensive fixes will be released on a staggered schedule beginning on January 22.

“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” Ivanti said.

In a research report, Volexit said it caught the zero-days after noticing suspicious lateral movement on the network of one of its customers, and found that an attacker was placing webshells on multiple internal and external-facing web servers. 

The company traced the infections back to the victim company’s Ivanti Connect Secure VPN appliance that showed that its logs had been wiped and logging had been disabled. 

“Further review of historic network traffic from the device also revealed suspect outbound and inbound communication from its management IP address. Volexity found that there was suspect activity originating from the device as early as December 3, 2023,” the company said.

Volexity said it worked closely with Ivanti in order to obtain disk and memory images from the impacted devices and was able to uncover the exploit chain used by the attacker. 

Advertisement. Scroll to continue reading.

“[We] discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). Through forensic analysis of the memory sample, Volexity was able to recreate two proof-of-concept exploits that allowed full unauthenticated command execution on the ICS VPN appliance,” the company said.

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system. In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” Volexity added.

The researchers said they caught the attackers modifying legitimate ICS components and making changes to the system to evade Ivanti’s Integrity Checker Tool; and  backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. 

Volexity said the suspected Chinese government-backed hacking team also modified a JavaScript file used by the Web SSL VPN component of the device in order to log keystrokes and exfiltrate credentials for users logging into the VPN. 

“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network,” Volexity warned.

Related: Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day

Related: Exploitation of Ivanti Sentry Zero-Day Confirmed

Related: Ivanti Patches Critical Vulnerability in Endpoint Manager

Related: Ivanti Patches Dozen Critical Vulnerabilities in Avalanche MDM Product

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.