Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Suspected Chinese Hackers Exploit 2 Ivanti Zero-Days

Cyber Agencies Urge Users to Apply Workaround in the Absence of Patches
Suspected Chinese Hackers Exploit 2 Ivanti Zero-Days
Suspected Chinese state hackers have been exploiting a pair of zero-days in Ivanti secure networking products since early December. (Image: Shutterstock)

Hackers possibly connected to the Chinese government since December have exploited two zero-days in a VPN from software developer Ivanti that is widely used by governments and corporations, and a patch won't be available until later this month.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The mobile endpoint security vendor provided mitigation steps while stating that a patch will not be available until the week of Jan. 22, when the company will stagger patches for supported versions. Mitigations and patches will not resolve past compromise, warned cybersecurity firm Volexity in a Wednesday post detailing the hacking.

The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday added the two zero-days to its known exploited vulnerabilities catalog and advised federal agencies to follow Ivanti's guidance. Australia's top cyber agency released a similar advisory.

Security appliances are a repeated target of hackers, given their trusted location on networks' edges and the difficulty of installing endpoint detection and response on many such systems (see: Fortinet VPN Flaw Shows Pitfalls of Security Appliances).

Ivanti said less than 10 customers have been affected by the vulnerabilities. "Obvious point - there will likely be more #ConnectAround victims," wrote cybersecurity expert Kevin Beaumont, using the moniker he has given the chained exploits. The zero-days affect the Ivanti Connect Secure VPN appliance, formerly known as Pulse Secure, and Ivanti Policy Secure Gateways.

The flaws, tracked as CVE-2023-46805 and CVE-2024-21887, "make it trivial for attackers to run commands on the system," Volexity wrote. The firm attributes the hacking activity to a threat actor dubbed UTA0178. Little is known about the actor, although Volexity wrote that it "has reason to believe that UTA0178 is a Chinese nation-state-level threat actor."

Security researchers have noted the mounting sophistication of Chinese hackers - a development widely attributed to a Beijing law requiring mandatory disclosure of vulnerability reports to the government. The Chinese government for decades now has underwritten digital intelligence gathering and economic espionage operations in campaigns affecting widely used software including Microsoft Outlook and Atlassian Confluence Data Center and Server products. Threat intelligence firm Mandiant in 2021 attributed an earlier compromise of Ivanti's Pulse Secure VPN to a likely Chinese state threat actor.

"Hacking is China's preferred mode of espionage," the Center for Strategic and International Studies wrote.

Volexity co-founder Sean Koessel told CNN that one victim of this latest campaign regularly draws the focus of state-backed hackers for its research on geopolitics, including Chinese issues. "It’s aligned with espionage that we've seen from Chinese [hackers] in the past," he told the network.

CVE-2023-46805 is an authorization vulnerability that allows hackers to "access restricted resources by bypassing control checks," while CVE-2024-21887 enables attackers to send commands to a device. Ivanti said hackers chained both the vulnerabilities to circumvent protections such as multifactor authentication.

A query by Beaumont of internet of things search engine Shodan revealed more than 15,000 exposed instances of the Connect Secure VPN on the internet. The most affected country was U.S., followed by Japan.

Volexity first observed suspicious lateral movement in a customer's network in mid-December 2023 and traced the activity back to the Ivanti VPN. One tipoff that hackers had infiltrated the appliance was "that its logs had been wiped and logging had been disabled." A review of network traffic found suspect communications dating to as early as Dec. 3.

The threat actor used web shells, proxy utilities and file modifications for credential harvesting, according to Volexity.

"Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on any new system that was breached, and use these credentials to log into additional systems via RDP."

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.