Researchers say attackers are massively exploiting new Ivanti VPN flaw


Hackers have begun massively exploiting a third vulnerability affecting Ivanti’s widely used enterprise VPN appliance, according to new public data.

Last week, Ivanti said it discovered two new security vulnerabilities — tracked as CVE-2024-21888 and CVE-2024-21893 — affecting Connect Secure, its remote access VPN solution used by thousands of businesses and large organizations around the world. According to its website, Ivanti has more than 40,000 customers, including universities, healthcare institutions and banks, whose technology allows their employees to connect from outside the office.

This disclosure came shortly after Ivanti confirmed two earlier bugs in Connect Secure, tracked as CVE-2023-46805 and CVE-2024-21887, that security researchers said were hackers backed by the China had detected. operator since December to break into customer networks and steal information.

Data now shows that one of the newly discovered flaws – CVE-2024-21893, a server-side request forgery flaw – is being exploited en masse.

Although Ivanti has since patched the vulnerabilities, security researchers expect a greater impact on organizations as more hacker groups exploit the flaw. Steven Adair, founder of cybersecurity firm Volexity, a security firm that tracks exploitation of Ivanti vulnerabilities, warned that now that proof-of-concept exploit code is public, “all unpatched devices accessible on the Internet have likely been compromised multiple times. on.”

Piotr Kijewski, chief executive of Shadowserver Foundation, a nonprofit that analyzes and monitors the Internet for exploitation, told TechCrunch on Thursday that the organization observed more than 630 unique IP addresses attempting to exploit the flaw. server side, which allows attackers to access. to data on vulnerable devices.

That’s a big increase from last week, when Shadowserver said he had observed 170 unique IPs attempt to exploit the vulnerability.

A analysis of the new server-side flaw shows that the bug can be exploited to bypass Ivanti’s original mitigation for the initial exploit chain involving the first two vulnerabilities, thus rendering these pre-patch mitigations moot.

Kijewski added that Shadowserver is currently observing approximately 20,800 Ivanti Connect Secure devices exposed to the Internet, up from 22,500 last week, although he noted that it is unclear how many of these Ivanti devices are vulnerable to exploitation.

It is unclear who is behind this massive exploitation, but security researchers have attributed the exploitation of the first two Connect Secure bugs to a Chinese government-backed hacking group likely motivated by espionage.

Ivanti previously said it was aware of “targeted” exploitation of the server-side bug targeting a “limited number of customers.” Despite repeated requests from TechCrunch this week, Ivanti declined to comment on reports that the flaw was being exploited on a large scale, but did not dispute Shadowserver’s findings.

Ivanti started releasing fixes to customers for all vulnerabilities as well as a second round of mitigations earlier this month. However, Ivanti notes in its security advisory – last updated on February 2 – that it “releases fixes to the largest number of installations first, then continues in descending order.”

It is unclear when Ivanti will make the patches available to all of its potentially vulnerable customers.

Reports of another Ivanti exploit exploited en masse come days after the US cybersecurity agency. CISA Orders Federal Agencies to Emergency Disconnect All Ivanti VPN Appliances. The agency’s warning saw CISA give agencies just two days to disconnect the devices, citing the “serious threat” posed by actively attacked vulnerabilities.


Leave a Comment

Your email address will not be published. Required fields are marked *