Security alert: Ivanti Connect Secure VPN under attack

Serious vulnerabilities have affected Ivanti's VPN devices, with Volexity and Ivanti reporting ongoing attacks as early as January 10th. Ivanti Connect Secure VPN devices are at the center of an attack campaign that exploits two critical unmitigated zero-day vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, to install malicious webshells and data exfiltration.

Investigations underway into zero-day attacks

A conjuncture of malicious actors, including those affiliated with Chinese cyber activities, are exploiting these vulnerabilities as of December 2023. This effort is strengthened by the work of Mandiant which has published useful guidance for identifying the malware employed, suggesting a targeted effort towards electronic espionage. The flow of hostile actions does not seem to stop, affecting more than 1,700 endpoints, affecting companies of various industries and sizes, including some Fortune 500 entities.

Dimension of vulnerability and Ivanti's response

According to analysis provided by scanning services, it is estimated that there are over 18,000 active and vulnerable Ivanti Connect Secure VPN devices worldwide, of which approximately 5,500 are in Europe. Ivanti, in response to the critical issues that have emerged, has already released guidelines for resolving problems, supporting companies in managing the security emergency. The importance of collaboration with national CERTs also emerged.

Reminder for mitigation measures

Aware of the inability of emergency precautionary measures to contain the damage resulting from previous compromises, Volexity urges organizations to carry out an in-depth analysis of the systems in order to detect any signs of intrusion. The discovery of more than 1,700 compromised devices using new scanning techniques highlights the pressing need for remediation and internal incident analysis to confirm or deny a network security breach.