Hackers Exploit Ivanti VPN Vulnerability, Revealing Latest Threats

Security researchers have uncovered ongoing cyber attacks exploiting a recent vulnerability discovered in Ivanti's enterprise VPN solution.

Ivanti's enterprise VPN solution faces another instance of active exploitation due to a recent vulnerability, marking the third flaw discovered in Ivanti's Connect Secure VPN. One of the newly identified vulnerabilities, CVE-2024-21893, is currently being widely exploited.

Lazarus Hackers Use Coin Mixer to Steal $1.2 Million Worth of Bitcoin
Lazarus, a popular cybercriminal gang from North Korea has reportedly stolen $1.2 million of Bitcoin from a coin mixer to a holding wallet, according to a report. Clint Patterson from Unsplash
Lazarus, a popular cybercriminal gang from North Korea has reportedly stolen $1.2 million of Bitcoin from a coin mixer to a holding wallet, according to a report.

Facing Another Active Exploitation

Security researchers have reported that cyber attackers are exploiting a recent vulnerability in Ivanti's popular enterprise VPN appliance. This marks the third vulnerability discovered in Ivanti's remote access VPN solution, Connect Secure.

TechCrunch reported that the revelation of these vulnerabilities follows Ivanti's acknowledgment of two previous bugs in Connect Secure, CVE-2023-4680, and CVE-2024-21887.

Security analysts revealed that these earlier vulnerabilities were exploited by threat actors linked to China since December, enabling unauthorized access to customer networks and data exfiltration.

Recent data indicates that one of the newly identified flaws, CVE-2024-21893, categorized as a server-side request forgery flaw, is currently undergoing widespread exploitation by malicious actors.

The new server-side flaw reveals its potential to circumvent Ivanti's initial mitigation efforts for the initial exploit chain involving the first two vulnerabilities. This effectively nullifies the pre-patch mitigations implemented by Ivanti.

Nonprofit monitoring internet exploitation Shadowserver is currently monitoring approximately 20,800 Ivanti Connect Secure devices exposed to the internet, a decrease from 22,500 observed last week.

However, Bleeping Computer reported that it remains uncertain how many of these Ivanti devices are susceptible to exploitation. The perpetrators behind the widespread exploitation remain unidentified.

Nonetheless, security experts have linked the exploitation of the first two Connect Secure vulnerabilities to a government-backed hacking group from China, suggesting a motive centered around espionage.

Following Previous Security Flaws

Last week, Ivanti disclosed the discovery of two new security flaws, identified as CVE-2024-21888 and CVE-2024-21893, affecting Connect Secure.

This VPN solution is utilized by numerous corporations and large organizations globally, boasting over 40,000 customers, including universities, healthcare institutions, and financial entities, enabling their employees to securely access their networks remotely.

Despite Ivanti's efforts to patch the vulnerabilities, The Register reported that cybersecurity experts anticipate continued impacts on organizations as more hacking groups exploit the flaw.

Steven Adair, founder of cybersecurity firm Volexity which tracks the exploitation of Ivanti vulnerabilities, cautioned that with the public availability of proof-of-concept exploit code, any unpatched devices accessible over the Internet have likely been compromised several times.

Piotr Kijewski, CEO of the Shadowserver Foundation, disclosed that they've observed over 630 unique IPs attempting to exploit the server-side flaw, enabling attackers to access data on vulnerable devices.

This figure represents a significant surge from last week when Shadowserver reported observing only 170 unique IPs attempting to exploit the vulnerability.

Ivanti acknowledged targeted exploitation of the server-side bug aimed at a limited number of customers. Despite inquiries, Ivanti did not comment on reports of mass exploitation but did not dispute Shadowserver's findings.

Ivanti has begun releasing patches and mitigations for all vulnerabilities, prioritizing installations based on numbers. The timeline for patch availability to all potentially vulnerable customers remains unclear.

This news follows CISA's urgent directive for federal agencies to disconnect all Ivanti VPN appliances within two days due to the serious threat posed by actively exploited vulnerabilities.

Written by Inno Flores
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics