Ivanti customers urged to patch vulnerabilities allegedly exploited by Chinese state hackers

The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday urged customers of IT company Ivanti to patch two vulnerabilities that are being actively exploited.

CISA’s notice follows a warning from Ivanti that at least 10 of its customers were impacted by the vulnerabilities.

The issues relate to Ivanti Connect Secure — a widely-used VPN tool.

One of the bugs, tracked as CVE-2023-46805, carries a severity score of 8.2. It allows a hacker to "access restricted resources by bypassing control checks." The other vulnerability, CVE-2024-21887, would help an attacker send commands to a device and has a severity score of 9.1.

Ivanti warned that the hackers are using the vulnerabilities together but said the situation “is still evolving.”

The company thanked cybersecurity firms Volexity and Mandiant for their work in “identifying and reporting the issue in Ivanti Policy Secure and Ivanti Connect Secure.”

Volexity published its own report on the issue, writing that they detected suspicious lateral movement on the network of one of their customers during the second week of December.

An investigation led them back to the organization's internet-facing Ivanti Connect Secure VPN appliance and they found that suspicious activity started on December 3.

They worked with Ivanti and found that the hackers used the two vulnerabilities together, giving them the ability to conduct reconnaissance, steal data, change files, and more.

“Volexity currently attributes this activity to an unknown threat actor it tracks under the alias UTA0178. Volexity has reason to believe that UTA0178 is a Chinese nation-state-level threat actor,” they said.

This would not be the first time Chinese state actors have targeted Ivanti’s Connect Secure products. In April 2021, CISA warned that hackers breached the systems of a number of U.S. government agencies, critical infrastructure entities and other private sector organizations. Cybersecurity firm Mandiant attributed the activity to hackers operating on behalf of the Chinese government.

Customers can install a mitigation but Ivanti is still in the process of developing a patch for the issue. They said it “is critical that you immediately take action to ensure you are fully protected.”

Volexity said that in addition to applying the mitigations, customers should monitor their network traffic for suspicious activity and analyze the logs on their Connect Secure device.

The company said it has also seen evidence of hackers in this campaign exploiting their internal integrity checker (ICT) — a snapshot of the current state of the appliance. They noted that the ICT “cannot necessarily detect threat actor activity if they have returned the appliance to a clean state.”

Ivanti said any customers experiencing impacts that are not described in the advisory should contact them so they can provide wider updates to the community. Anyone who finds evidence of compromise should hire a cybersecurity company for help because “Ivanti is not a forensic provider and cannot perform this,” they said.

Indicators of compromise will be shared with customers who have confirmed they have been affected by the campaign.

Patches will be released on a staggered schedule based on the version of the tool a customer has, with the first coming out in the week of January 22. The last version will come out the week of February 19.

“We are releasing patches based upon telemetry information available to us from current installed solutions that notify us of the version number they are running. We are releasing patches for the highest number of installs first and then continuing in declining order,” they explained.

“Our customers’ security is our top priority, and we are releasing patches as quickly as we can while ensuring the quality and security of each release.”

Ivanti added that from its analysis, it found no indication that this vulnerability was introduced into the code development process maliciously. The company has also not found evidence that itwas hacked.

Cybersecurity expert Kevin Beaumont said on the social media site Mastodon that the tool is “widely used in enterprise space and government, so I would suggest it's one to get skates on and may need a bunch of compromise assessments at larger orgs.”

He shared images of searches showing more than 15,000 exposed instances of Connect Secure exposed to the internet. Mike Walters, president and co-founder of Action1, confirmed to Recorded Future News that searches on Shodan show over 15,000 exposed devices online.

In July, the government of Norway revealed that 12 government agencies in the country had been hacked through several zero-days affecting Ivanti’s Endpoint Manager Mobile (EPMM) tool.

CISA and Norway’s government published an advisory about the vulnerabilities, noting that nation-state hackers had been exploiting them since April. Several other issues were discovered in the months after that incident.

BleepingComputer reported last week on another vulnerability affecting the company’s products.