"Government, Military Targeted as Widespread Exploitation of Ivanti Zero-Days Begins"
Security researchers at threat intelligence and incident response firm Volexity have started seeing widespread exploitation of the recently disclosed Ivanti Connect Secure VPN appliance vulnerabilities. The researchers warned on January 10 that they had seen threat actors, a group tracked as UTA0178 and likely linked to China, exploiting two Ivanti VPN zero-day vulnerabilities in an attempt to gain access to internal networks and steal information. The vulnerabilities are an authentication bypass flaw tracked as CVE-2023-46805 and a command injection issue tracked as CVE-2024-21887. The researchers noted that chaining the two enables a remote, unauthenticated attacker to execute arbitrary commands on the targeted appliance. While the attacks were initially highly targeted, widespread exploitation appears to have now begun. The researchers scanned roughly 50,000 IPs associated with Ivanti VPN appliances and found that more than 1,700 were compromised. The hacked devices belong to organizations in the government, military, telecoms, defense, tech, banking, finance, accounting, consulting, aerospace, aviation, and engineering sectors. They include small businesses and Fortune 500 companies. Victims were seen all around the world, but the highest percentage appears to be in the United States, followed by Europe.