China suspected to be behind Ivanti zero-day exploits
Ivanti is working on a patch to fix two high-impact vulnerabilities allowing attackers to control an affected system.
Attackers have been exploiting two zero-day vulnerabilities affecting the security software provider Ivanti’s products. CISA urged admins to take note of the flaws and added the vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, to the Known Exploited Vulnerabilities catalog, requiring government institutions to remediate the issue.
“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system. In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” researchers at Volexity said.
However, Ivanti has yet to release a patch for the affected systems. For the time being, the company issued a workaround via its blog.
“We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT,” reads Ivanti’s blog.
The zero-days are an authentication bypass and command-injection vulnerabilities that allow attackers to perform a wide array of attacks, including remote code execution and system takeover. According to Ivanti, the company is aware of “less than ten customers” who were impacted by the vulnerabilities.
Ivanti claims to have over 40 thousand customers in total.
Researchers believe that the affected systems may have been exploited as early as December 3rd, 2023. The culprits behind the exploits are suspected to be UTA0178, believed to be a Chinese nation-state-level threat actor.
There‘s little insight into the attacker‘s motives. However, researchers observed threat actors carrying out reconnaissance and system exploration tasks.
“This primarily consisted of looking through user files, configuration files, and testing access to systems. The primary notable activity beyond that was deployment of webshells to multiple systems,” Volexity researchers said.
“>
