Hackers begin mass-exploiting Ivanti VPN zero-day flaws

Malicious hackers have begun mass-exploiting two critical zero-day vulnerabilities in Ivanti’s widely used corporate VPN appliance.

That’s according to cybersecurity company Volexity, which first reported last week that China state-backed hackers are exploiting the two unpatched flaws in Ivanti Connect Secure — tracked as CVE-2023-46805 and CVE-2024-21887 — to break into customer networks and steal information. At the time, Ivanti said it was aware of “less than 10 customers” affected by the "zero-day" flaws, described as such given that Ivanti had no time to fix the flaws before they were exploited.

In an updated blog post published on Monday, Volexity says it now has evidence of mass exploitation.

According to Volexity, more than 1,700 Ivanti Connect Secure appliances worldwide have been exploited so far, affecting organizations in the aerospace, banking, defense, government and telecommunications industries.

"Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals," said Volexity. The security firm's researchers added that Ivanti VPN appliances were "indiscriminately targeted," with corporate victims around the world.

But Volexity notes that the number of compromised organizations is likely to be far higher. Nonprofit security threat tracker Shadowserver Foundation has data showing more than 17,000 internet-visible Ivanti VPN appliances worldwide, including more than 5,000 appliances in the United States.

Ivanti confirmed in its updated advisory on Tuesday that its own findings are “consistent” with Volexity's new observations and that the mass-hacks appear to have started on January 11, a day after Ivanti disclosed the vulnerabilities. In a statement provided via public relations agency MikeWorldWide, Ivanti told TechCrunch that it has "seen a sharp increase in threat actor activity and security researcher scans."

When reached Tuesday, Volexity's spokesperson Kristel Faris told TechCrunch that the security firm is in contact with Ivanti, which is “responding to an increase in support requests as quickly as possible.”

Despite mass exploitation, Ivanti has yet to publish patches. Ivanti said it plans to release fixes on a “staggered” basis starting the week of January 22. In the meantime, admins are advised to apply mitigation measures provided by Ivanti on all affected VPN appliances on their network. Ivanti recommends admins reset passwords and API keys, and revoke and reissue any certificates stored on the affected appliances.

No ransomware... yet

Volexity initially attributed exploitation of the two Ivanti zero-days to a China-backed hacking group it tracks as UTA0178. Volexity said it had evidence of exploitation as early as December 3.

Mandiant, which is also tracking exploitation of the Ivanti vulnerabilities, said it has not linked the exploitation to a previously known hacking group, but said its findings — combined with Volexity's — leads Mandiant to attribute the hacks to "an espionage-motivated APT campaign,” suggesting government-backed involvement.

Volexity said this week that it has seen additional hacking groups — specifically a group it calls UTA0188 — exploit the flaws to compromise vulnerable devices, but declined to share additional details about the group — or its motives — when asked by TechCrunch.

Volexity told TechCrunch that it has seen no evidence that ransomware is involved in the mass hacks at this point. “However, we fully anticipate that happening if proof-of-concept code becomes public,” added Faris.

Security researchers have already pointed to the existence of proof-of-concept code capable of exploiting the Ivanti zero-days.