Threat intelligence and incident response company Volexity has begun to see widespread use of a newly discovered vulnerability in the Ivanti Connect Secure VPN appliance. On January 10, Volexity, tracked as UTA0178, China, warned that attackers believed to be linked to China were exploiting two zero-day vulnerabilities. has warned that attackers from a group believed to be linked to China are using two zero-day vulnerabilities in Ivanti VPN to gain access to internal networks and steal information.
These vulnerabilities are an authentication bypass bug tracked as CVE-2023-46805 and a command tampering issue tracked as CVE-2024-21887. The combination of these two vulnerabilities allows remote, unauthorized attackers to execute arbitrary commands on the target device.
Initially a targeted attack, it now appears to have become widespread as Volexity scanned approximately 50,000 IP addresses associated with Ivanti VPN devices and found that over 1,700 devices were compromised.
The compromised devices belong to organizations in the government, military, telecommunications, defense, technology, banking, finance, accounting, consulting, aerospace, aviation and engineering sectors. Among them are small and medium enterprises and Fortune 500 companies.
Victims have been seen around the world, but the highest percentage appears to be in the United States, followed by Europe.
Volexity noted that the actual number of compromised systems is likely higher than what was found during the scan.
“Volexity believes with medium confidence that this massive exploit was executed by UTA0178. This estimate is based on the use of the same web shell as the previous exploit and the speed with which it was executed after the details of the exploit were made public “, – said the company engaged in cyber security.
While UTA0178 appears to be behind many of the attacks, other threat actors are also attempting to exploit vulnerabilities in the Ivanti product, including a vulnerability tracked by Volexity as UTA0188.
Some attempted exploits are likely the work of the cybersecurity community. Researcher Kevin Beaumont, who named Ivanti’s ConnectAround vulnerabilities, also ran the scan.
Ivanti announced a fix for the issue on January 10th, but the fix won’t be available until January 22nd. Mandiant also analyzed attacks using CVE-2023-46805 and CVE-2024-21887, which are tracked as UNC5221 linked to the cyber espionage group.
The company identified five families of malware deployed by hackers, including web shells, droppers, backdoors and information stealers called ThinSpool, LightWire, WireFire, WarpWire and ZipLine. Mandiant saw signs that hackers took steps to maintain access to valuable systems even after Ivanti’s patches were released.