Mandiant spots advanced exploit activity in Ivanti devices
Home/CyberSecurity / Mandiant spots advanced exploit activity in Ivanti devices
Mandiant spots advanced exploit activity in Ivanti devices

Dive Brief:

  • Ivanti Connect Secure devices were exploited and compromised by more threat groups than previously thought, Mandiant said in research released Thursday.
  • Post-exploitation activity observed by Mandiant includes lateral movement with the aid of open-source tools and multiple custom malware families. 
  • Mandiant said it observed “eight distinct clusters involved in the exploitation of one or more of” Ivanti’s vulnerabilities CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893, which the vendor first disclosed Jan. 10. This includes five China-linked espionage groups and three financially motivated attackers.

Dive Insight:

Mandiant, which is working with Ivanti and some of its customers on incident response and recovery, released its latest research on Ivanti-linked attacks the day after Ivanti CEO Jeff Abbott publicly pledged to overhaul the company’s internal security practices.

“We are actively collaborating with Mandiant and welcome findings that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat,” an Ivanti spokesperson said via email.

The Ivanti vulnerabilities attracted more threat groups than previously reported, aiming to conduct espionage or steal financial assets, Mandiant research illustrates. The findings were based on observations Mandiant since late February, but the activities occurred mid January through February.

Suspected China-linked attackers have advanced their command of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives, Mandiant said in the blog post.

Mandiant attributed a cluster of attempted exploits in February to a group it identifies as UNC5291, also known as Volt Typhoon. “Mandiant has not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure,” researchers said in the blog.

The China-linked threat group, which targeted a critical vulnerability in Citrix products in December, has intruded organizations in multiple critical infrastructure sectors in preparation for disruptive attacks.

Another China-linked espionage group Mandiant identifies as UNC5221 remains the only group known to have exploited a pair of Ivanti vulnerabilities starting in early December, before the CVEs were disclosed a month later. Three other China-affiliated espionage groups or clusters have exploited Ivanti VPNs or conducted post-exploitation activities, according to Mandiant.

Researchers at Mandiant said they’ve also observed indications that financially motivated threat groups have begun to exploit a pair of the initial Ivanti zero-day vulnerabilities. The trio of financially motivated attackers are likely seeking to enable cryptocurrency mining related operations, Mandiant said.

Mandiant advised Ivanti customers to run the internal and external integrity checker tool Ivanti released alongside a new patch for all of the vulnerabilities April 3, including four new CVEs Ivanti disclosed Wednesday in a blog post.



Source link