Ivanti spots ‘sharp increase’ in targeting of VPN as analysts find 1,700 devices exploited

Ivanti said it is seeing a spike in hackers targeting two recently disclosed vulnerabilities in its Connect Secure VPN product, as cybersecurity researchers also sized up the extent of the damage.

Since issuing an advisory last week, “we have seen a sharp increase in threat actor activity and security researcher scans” concerning the bugs, an Ivanti spokesperson said in comments to The Record.

Overall, more than 1,700 devices have been exploited worldwide since the IT giant notified the public about the issue, researchers at Volexity said on Monday. Volexity discovered and reported the issues, tracked as CVE-2023-46805 and CVE-2024-21887, to Ivanti in early December.

The Ivanti spokesperson said that a mitigation issued January 10 and other tools should help administrators looking to stop exploitation of the vulnerabilities. Ivanti is still in the process of developing an official patch for the issue.

“The security of our customers is our top priority, and we strongly advise all customers to apply the mitigation immediately,” the spokesperson said. “This is an evolving situation, and we have provided additional guidance to customers on steps they can take to ensure the threat actor is not able to gain persistence in their environment.”

Company officials “regularly work with the appropriate government agencies on coordinated disclosure” of vulnerabilities, the spokesperson said. The leading cybersecurity agencies in both the U.S. and U.K. have released advisories and ordered government departments to patch the bugs as soon as possible.

Concerns about CVE-2023-46805 and CVE-2024-21887 have grown since they were disclosed by the IT company. At that point, Ivanti said at least 10 of its customers were impacted.

Volexity and another cybersecurity company, Google’s Mandiant, previously tied the exploitation of the vulnerabilities to hackers allegedly based in China, but Volexity said attacks have expanded to multiple threat actors around the world.

“Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals, including the following: global government and military departments, national telecommunications companies, defense contractors, technology, banking, finance, and accounting, worldwide consulting, aerospace, aviation, and engineering,” Volexity researchers said.

The unmitigated

Volexity said it began to see widespread scanning on January 11 and by Sunday, had found over 1,700 ICS VPN appliances that were compromised.

They added that the appliances “appear to have been indiscriminately targeted, with victims all over the world.”

The company said it has contacted national cybersecurity agencies in several countries so that local victims can be notified and urged them to reach out if they need assistance.

They warned that their methodology of finding victims would not have worked with organizations that have already deployed the mitigations issued by Ivanti or have taken their devices offline.

“As a result, Volexity suspects there may likely be a higher number of compromised organizations than identified through scanning (which totaled more than 1,700),” they said, warning that the China-based group behind the initial exploitation, which they tag as UTA0178, may have taken further actions.

“There was likely a period in which UTA0178 could have auctioned these compromises before the mitigation was applied. Furthermore, Volexity has identified that additional attackers beyond UTA0178 appear to have access to the exploit.”

Researchers at Shadowserver shared scans showing 6,809 Ivanti instances vulnerable to CVE-2023-46805. The U.S. led the way with more than 1,500 vulnerable devices while China, France and Germany also had hundreds of exposed instances.

For CVE-2024-21887, other researchers found nearly 9,000 vulnerable devices around the world.

Microsoft principal security researcher Christopher Glyer said that for those who did not apply the mitigation released by Ivanti on January 10, there is a “reasonable chance you were exploited.”

Patches will be released on a staggered schedule based on the version of the tool a customer has, with the first coming out in the week of January 22, Ivanti said. The last version will come out the week of February 19.