In a significant cybersecurity development, state-sponsored hackers have exploited two zero-day vulnerabilities in Ivanti’s Connect Secure VPN, impacting over 40,000 customers worldwide. These severe vulnerabilities allow unauthenticated attackers to execute commands on the VPN appliance, posing a critical threat to corporate networks.
Ivanti, a prominent IT software solutions provider, issued an alert on Wednesday, following a discovery by security firm Volexity. Approximately a month ago, Volexity detected suspicious activities where state-sponsored hackers infiltrated a client’s network through the Connect Secure VPN appliance, also known as Pulse Secure.
The initial findings showed that the VPN’s traffic logs were wiped and logging was disabled, a tactic often used by attackers to cover their tracks. However, Volexity’s thorough investigation revealed that the attackers had exploited a pair of previously unknown vulnerabilities to gain control over the VPN appliance.
.@Volexity detected an incident where it discovered a threat actor chained 2 #0days in Ivanti Connect Secure, CVE-2023-46805/CVE-2024-21887, to achieve RCE, modifying components of the software to backdoor the device.https://t.co/RibC5G0aOp#dfir #threatintel #memoryforensics
— Volexity (@Volexity) January 10, 2024
According to Volexity, “When combined, these two vulnerabilities make it trivial for attackers to run commands on the system.” The exploitation of these vulnerabilities enabled the attackers to steal configuration data, modify files, download remote content, and establish a reverse tunnel from the Ivanti VPN appliance, escalating the threat significantly.
This breach is particularly concerning as corporate VPNs are crucial for enabling remote access to internal networks, a practice that has become increasingly common. Furthermore, the attackers were found to be keylogging and exfiltrating credentials of users logging into the VPN, allowing them to move laterally within the network and gain comprehensive access to sensitive systems and data.
Volexity’s investigation suggests that the state-sponsored hackers likely originated from China, based on the internet domains used during their infiltration activities. This attribution, while tentative, points to the geopolitical complexities surrounding cyber espionage and the targeting of critical IT infrastructure by nation-state actors.
The exploitation of these vulnerabilities underscores the paramount importance of robust cybersecurity measures and the constant vigilance required to defend against sophisticated threats. Organizations using Ivanti’s Connect Secure VPN are urged to apply the patches released by Ivanti immediately and to review their security protocols to prevent further intrusions.
For those seeking secure VPN solutions and best practices in cybersecurity, resources such as Free VPN for Hackers provide valuable insights, especially in light of the evolving threat landscape.
This incident serves as a stark reminder of the ongoing cyber warfare and the necessity for continuous improvement of cybersecurity defenses to protect against the sophisticated tactics employed by state-sponsored hackers.