Mandiant: Attacks Exploiting Ivanti VPN Flaws Began In December

Researchers at the Google Cloud-owned cybersecurity specialist confirmed findings from Volexity researchers about exploitation of the Connect Secure VPN vulnerabilities.

Mandiant researchers reported that exploitation of two high-severity Ivanti VPN vulnerabilities began in December, confirming earlier findings on the timing of the attacks by researchers at Volexity.

Disclosed by Ivanti on Wednesday, the vulnerabilities impact the vendor’s widely used Connect Secure VPN devices.

[Related: 10 Major Cyberattacks And Data Breaches In 2023]

In a post Thursday evening, researchers at Google Cloud-owned Mandiant — which has been working with Ivanti to investigate the attacks — disclosed findings that an espionage-focused threat actor, tracked as UNC5221, is believed to be responsible.

Mandiant researchers have “identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor,” they wrote.

Notably, the threat group has “leveraged multiple custom malware families” in its campaign, the researchers wrote in the post.

The vulnerabilities can be used to enable unauthenticated remote execution of code on affected Connect Secure VPN devices, according to researchers at Volexity, which uncovered the flaws in December.

Researchers at Volexity attributed the attacks against to a nation-state threat actor it tracks as UTA0178, which is believed to be working on behalf of China’s government.

Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.

Patch Release Schedule

In a post Wednesday, Ivanti shared mitigation measures for the vulnerabilities, but said the first patches won’t be available until the week of Jan. 22. Patches will be released on a staggered schedule running through mid-February, the company said.

The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti said. When used in this way, “exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” the company said.

So far, “we are aware of less than 20 customers impacted by the vulnerabilities,” up from 10 initially, Ivanti said in an update to the post.

CRN has reached out to Ivanti for any further updates.

The authentication bypass vulnerability (tracked at CVE-2023-46805) has been awarded a severity score of 8.2 out of 10.0, while the command injection vulnerability (CVE-2024-21887) has been awarded a severity score of 9.1 out of 10.0.

The vulnerabilities “impact all supported versions” of Connect Secure, Ivanti said. The flaws also impact Ivanti’s Policy Secure gateway, the company said.