"State-Sponsored Hackers Know Enterprise VPN Appliances Inside Out"

According to Mandiant incident responders and threat hunters, suspected Chinese state-sponsored hackers who exploited Ivanti Connect Secure VPN flaws to breach a number of organizations have showed "a nuanced understanding of the appliance." They were able to make several changes to the device as well as install specialized malware and plugins to ensure persistence across system upgrades, patches, and factory resets. Mandiant's security researchers believe two different, but likely linked, threat groups, tracked as UNC5325 and UNC3886, are behind some of the recent attacks, which began with the exploitation of several Ivanti Connect Secure flaws. This article continues to discuss the threat actors' exploitation of recent Ivanti Connect Secure VPN vulnerabilities and their use of new malware for persistence. 

Help Net Security reports "State-Sponsored Hackers Know Enterprise VPN Appliances Inside Out"

Submitted by grigby1

Submitted by Gregory Rigby on