“It appears that hackers are taking advantage of two vulnerabilities in Ivanti’s Connect Secure software,” says a spokesperson for the U.S. software company. These vulnerabilities, known as CVE-2023-46805 and CVE-2024-21887, are considered critical and impact a popular corporate VPN appliance. However, Ivanti has stated that it will not have patches available until the end of the month.
Ivanti’s Connect Secure, formerly known as Pulse Connect Secure, is a remote access VPN solution that allows users to securely access corporate resources over the internet. Unfortunately, it seems that this software is now being targeted by cyber criminals.
According to Ivanti, less than 10 customers have been impacted by the “zero day” vulnerabilities. This means that the vulnerabilities were exploited by hackers before Ivanti had the chance to fix them. One of these affected customers was also a client of cybersecurity company Volexity, who noticed suspicious activity on their network in December. Upon further investigation, Volexity found that hackers had taken advantage of the two vulnerabilities to gain unauthenticated remote code execution, giving them access to sensitive information and the ability to control the VPN appliance.
It is believed that this attack was carried out by a China-based hacking group known as UTA0178. Volexity has evidence to suggest that the compromised VPN appliance may have been accessed as early as December 3rd.
While Ivanti claims that only a small number of corporate customers have been affected, security researcher Kevin Beaumont believes that there may be many more victims. On Mastodon, Beaumont shared results from a scan that showed around 15,000 Ivanti appliances exposed to the internet globally. He has since nicknamed the two vulnerabilities “ConnectAround.”
Rapid7 researcher Caitlin Condon also reported on suspicious scanning activity targeting Ivanti Connect Secure appliances. In a blog post shared with TechCrunch, Condon shared that Rapid7 had observed this activity on their honeypots, which emulate Ivanti appliances.
While Ivanti plans to release patches for the two vulnerabilities, they will be staggered and won’t be available until January 22nd at the earliest. When asked for more information, Ivanti declined to comment on the reason for the delayed release. The company also did not confirm whether any data had been stolen as a result of the attacks or if they had identified the attackers responsible.
If your organization may be impacted by these vulnerabilities, Ivanti is urging you to prioritize following their mitigation guidance. The U.S. cybersecurity agency CISA has also issued an advisory for Ivanti Connect Secure users to mitigate the vulnerabilities immediately.
However, it’s important to note that applying these mitigations will not undo any previous compromises. Organizations must take action to secure their Ivanti appliances and protect their sensitive data.
