Ivanti zero-day flaws under 'widespread' exploitation

Two critical Ivanti vulnerabilities that remain unpatched are being widely exploited just five days following public disclosure.

In a security advisory Wednesday, Ivanti urged users and administrators to mitigate two zero-day vulnerabilities that affect Ivanti Policy Secure and Ivanti Connect Secure (ICS). The advisory noted that the first round of patches would not be available until Jan. 22, with the second beginning on Feb. 19, but exploitation had already begun. Volexity, which reported the flaws to Ivanti, detected exploitation connected to a Chinese nation-state threat actor it tracks as UTA0178.

Ivanti confirmed that fewer than 10 customers were compromised as of Jan. 11. However, Volexity published a blog post Monday that revealed exploitation has quickly become widespread, with the threat extending beyond UTA0178.

"Exploitation of these vulnerabilities is now widespread. Volexity has been able to find evidence of compromise of over 1,700 devices worldwide," researchers wrote in the blog post.

Affected customers range from small businesses to Fortune 500 companies and include global government and military departments, national telecommunications companies and defense contractors, according to Volexity. Additional sectors include technology, finance and aerospace.

Volexity, as well as Mandiant, tracked the earliest exploitation of CVE-2024-21887 and CVE-2023-46805 to early December. At the time of disclosure, exploitation was limited to a small number of organizations, the company said.

"However, on January 11, 2024, Volexity began to detect evidence of widespread scanning by someone apparently familiar with the vulnerabilities," the blog post said. "Volexity observed various file paths, that are not publicly known, being requested via logs from its customer ICS VPN appliances."

While it was difficult to determine whether the activity originated from an attacker or a security researcher, multiple organizations reported suspicious ICS VPN logs to Volexity on the same day. In addition, investigations confirmed what Volexity and Mandiant discovered last week -- attackers deployed backdoor malware to maintain access even after patches are released.

Based on indicators of compromise, Volexity attributed the wide-scale activity to UTA0178 with "medium confidence." However, the vendor was clear that the widespread exploitation is ongoing and UTA0178 is not the only threat actor.

Log analysis revealed that other attackers have attempted to exploit vulnerable devices as well, including a different threat actor tracked as UTA0188. No public information was disclosed for the threat actor, but Volexity said it shared threat intelligence to its customers. In addition to monitoring its customers for exploitation, Volexity also developed a scanning tool to search for signs of compromised devices.

Volexity also warned that exploitation likely extends beyond the 1,700 devices it detected. Its scanning capabilities did not work for organizations that were taken offline or had deployed Ivanti's mitigations, which included several recommendations. After observing threat actors attempting to manipulate its internal Integrity Checker Tool, Ivanti added a new feature and advised customers to run the external ICT, for example.

"There was likely a period in which UTA0178 could have actioned these compromises before the mitigation was applied," the blog post said.

Ivanti confirmed that it observed a sharp increase in threat activity and security researcher scans related to the vulnerabilities since Wednesday.

"We are confident that the mitigation blocks access to vulnerable endpoints and that both the internal and external Integrity Checker Tool will identify mismatched files. The security of our customers is our top priority, and we strongly advise all customers to apply the mitigation immediately," Ivanti said in an email to TechTarget Editorial. "This is an evolving situation, and we have provided additional guidance to customers on steps they can take to ensure the threat actor is not able to gain persistence in their environment."

Arielle Waldman is a Boston-based reporter covering enterprise security news.