Recent findings from Mandiant’s threat intel team reveal that two zero-day vulnerabilities in Ivanti products, specifically Ivanti Connect Secure (ICS) and its Policy Secure gateways, have been under attack by cyberspies since December.
Details of the Vulnerabilities
- CVE-2023-46805: Authentication bypass bug
- CVE-2024-21887: Command injection vulnerability
These vulnerabilities, when chained together, lead to unauthenticated remote code execution, allowing attackers to take control of an organization’s Ivanti network appliances and infiltrate their IT environment.
Situation Overview
As of the latest update, Ivanti is aware of less than 20 impacted customers, but this number is expected to increase as more organizations run integrity-checking tools to identify compromised devices.
The worrisome aspect is that Ivanti has not yet released patches for these vulnerabilities. The company plans to roll out patches in a staggered fashion starting the week of January 22. In the meantime, Ivanti urges customers to deploy mitigations immediately.
Collaborative Efforts
Mandiant is actively collaborating with Ivanti to investigate and mitigate the impact of these vulnerabilities. The threat intelligence firm has already identified in-the-wild abuse of the bugs by a suspected espionage team known as UNC5221, dating back to December.
Attribution and Tactics
While initial probing linked the attackers to China, there is currently insufficient data for attribution, according to Charles Carmakal, Mandiant Consulting CTO. UNC5221 utilized hijacked end-of-life Cyberoam VPN appliances as command-and-control servers, strategically located within victims’ domestic environments to evade detection.
These targeted attacks, involving bespoke malware for persistence and avoiding detection, indicate a concerted effort by UNC5221 to maintain a presence on high-priority targets even after the inevitable release of patches.
Immediate Actions
Considering the severity of the situation, organizations using Ivanti products are strongly advised to implement mitigations promptly and stay vigilant for any indicators of compromise. Updates on the investigation and patches from Ivanti are expected in the coming weeks.
Ongoing Analysis and Response
Mandiant continues its analysis of the ongoing attacks and promises to provide additional details as the investigation progresses. The cybersecurity community is closely monitoring the situation, emphasizing the need for a swift response to prevent further exploitation of these vulnerabilities.
FAQs
- How did Mandiant discover the in-the-wild abuse?
Mandiant identified the abuse during its ongoing threat intelligence activities, tracking the activities of the suspected espionage team UNC5221. - What actions are recommended for organizations using Ivanti products?
Organizations should immediately deploy mitigations provided by Ivanti and stay informed about further updates, including the release of patches. - Is there confirmation of the attackers being associated with China?
While initial findings by Volexity pointed to a Chinese nation-state-level threat actor, attribution remains inconclusive at this stage, according to Charles Carmakal. - How did UNC5221 use compromised devices for command and control?
UNC5221 primarily utilized hijacked end-of-life Cyberoam VPN appliances strategically placed within victims’ domestic environments, enhancing their ability to evade detection. - Are these opportunistic attacks?
The use of bespoke malware for persistence and the targeting of high-priority victims indicate that these attacks are not opportunistic but rather part of a deliberate and strategic effort by UNC5221.