The Ivanti Connect Secure VPN and Policy Secure network access control (NAC) appliances are under mass exploitation due to two zero-day vulnerabilities, as revealed by threat intelligence company Volexity. These vulnerabilities involve an authentication bypass (CVE-2023-46805) and a command injection flaw (CVE-2024-21887), enabling attackers to execute arbitrary commands on affected systems. Volexity discovered that multiple threat groups have been exploiting these vulnerabilities since January 11, targeting a global array of victims, ranging from small businesses to Fortune 500 companies, government departments, military organizations, defense contractors, and more. The attackers utilized a GIFTEDVISITOR webshell variant, compromising over 1,700 ICS VPN appliances globally.
Despite Ivanti not yet releasing patches for the actively exploited zero-days, Volexity recommends mitigation measures, urging administrators to ensure the appliances’ management interface is not exposed online and advising upgrades to the latest firmware versions once available. The threat monitoring service Shadowserver identifies over 16,800 ICS VPN appliances exposed online, with almost 5,000 in the United States. The attacks have escalated beyond a limited number of customers, involving a suspected Chinese state-backed threat actor (UTA0178 or UNC5221) and multiple other threat groups, deploying various custom malware strains to achieve their objectives. These attacks underscore the growing sophistication and widespread impact of exploiting vulnerabilities in widely used network security appliances.
The compromised Ivanti appliances were targeted through a series of sophisticated attacks, with the threat actors deploying custom malware strains, including Zipline Passive Backdoor, Thinspool Dropper, Wirefire web shell, Lightwire web shell, Warpwire harvester, PySoxy tunneler, BusyBox, and Thinspool utility. The most notable, Zipline, serves as a passive backdoor intercepting network traffic and providing various capabilities like file transfer, reverse shell, tunneling, and proxying. The attackers, suspected to be backed by China, have shown a consistent pattern of exploiting zero-days in Ivanti products, highlighting the need for proactive cybersecurity measures and ongoing vigilance to safeguard against such sophisticated attacks.
