Security alert: Ivanti Connect Secure VPN under attack
Increase in attacks on Ivanti VPN systems highlights critical issues in corporate cybersecurity
Two serious vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affected Ivanti VPNs, with attacks starting in December 2023. It is estimated that there are over 18,000 devices at risk globally. Ivanti has provided safety guidelines.
Serious vulnerabilities have affected Ivanti's VPN devices, with Volexity and Ivanti reporting ongoing attacks as early as January 10th. Ivanti Connect Secure VPN devices are at the center of an attack campaign that exploits two critical unmitigated zero-day vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, to install malicious webshells and data exfiltration.
Investigations underway into zero-day attacks
A conjuncture of malicious actors, including those affiliated with Chinese cyber activities, are exploiting these vulnerabilities as of December 2023. This effort is strengthened by the work of Mandiant which has published useful guidance for identifying the malware employed, suggesting a targeted effort towards electronic espionage. The flow of hostile actions does not seem to stop, affecting more than 1,700 endpoints, affecting companies of various industries and sizes, including some Fortune 500 entities.
Dimension of vulnerability and Ivanti's response
According to analysis provided by scanning services, it is estimated that there are over 18,000 active and vulnerable Ivanti Connect Secure VPN devices worldwide, of which approximately 5,500 are in Europe. Ivanti, in response to the critical issues that have emerged, has already released guidelines for resolving problems, supporting companies in managing the security emergency. The importance of collaboration with national CERTs also emerged.
Reminder for mitigation measures
Aware of the inability of emergency precautionary measures to contain the damage resulting from previous compromises, Volexity urges organizations to carry out an in-depth analysis of the systems in order to detect any signs of intrusion. The discovery of more than 1,700 compromised devices using new scanning techniques highlights the pressing need for remediation and internal incident analysis to confirm or deny a network security breach.
Follow us on Facebook for more pills like this01/17/2024 09:38
Marco Verro