The confirmation has come directly from the U.S. National Security Agency that hackers are taking advantage of weaknesses in Ivanti’s widely used enterprise VPN appliance to target organizations in the U.S. defense sector.
NSA representative Edward Bennett confirmed in a statement sent via email to TechCrunch on Friday that, along with other interagency partners, the intelligence agency is closely monitoring the widespread repercussions caused by the recent exploitation of Ivanti products, including within the defense sector of the United States.
“The Cybersecurity Collaboration Center of the NSA is working alongside our partners to detect and mitigate this concerning activity,” added the spokesperson.
This confirmation of the NSA’s involvement in tracking these cyberattacks comes just days after Mandiant reported that a group of suspected Chinese hackers, referred to as UNC5325, have made “mass attempts” to exploit numerous vulnerabilities found in Ivanti Connect Secure, a popular software used for remote access VPN by countless corporations and large organizations globally.
Mandiant stated earlier this week that the group UNC5325, believed to be backed by China’s espionage activities, have targeted a variety of industries, including the U.S. defense industrial base sector which comprises thousands of private organizations spread worldwide that supply equipment and services to the U.S. military, according to findings from security firm Volexity.
In their findings, Mandiant underlined UNC5325’s “significant knowledge” of Ivanti Connect Secure appliance and the use of living-off-the-land techniques, meaning they are making use of legitimate tools and features already present in the targeted systems to better evade detection. Moreover, these China-backed hackers have also resorted to novel malware, allowing them to stay embedded in Ivanti devices even in cases of factory resets, system upgrades, and application of patches.
This viewpoint was corroborated in the warning advisory published by the United States cybersecurity agency, CISA, on Thursday, which cautioned that hackers exploiting the vulnerable Ivanti VPN appliances can potentially maintain root-level persistence even after performing factory resets. The federal cybersecurity agency tested the integrity of Ivanti’s software and found that confirmed hackers have managed to fool their Integrity Checker Tool, resulting in a “failure to detect compromise.”
In response to CISA’s findings, Ivanti’s chief information security officer, Mike Riemer, downplayed the results and told TechCrunch that Ivanti does not consider CISA’s test to be applicable to a live customer environment. Additionally, Riemer mentioned that there are currently no known instances of successful threat actor persistence after implementing recommended security updates and factory resets, as recommended by Ivanti.
It is still unknown how many of Ivanti’s customers have been affected by the widespread exploitation of Connect Secure’s vulnerabilities that commenced back in January. According to Akamai’s analysis published last week, these hackers are launching around 250,000 attempts to exploit the vulnerabilities on a daily basis, while having targeted over 1,000 customers so far.