New public data reveals that hackers have begun mass-exploiting a third vulnerability affecting Ivanti's widely used enterprise VPN appliances.
Ivanti last week announced two new security flaws (CVE-2024-21888 and CVE- (tracked as 2024-21893). Ivanti has more than 40,000 of his customers, including universities, medical institutions and banks, and its technology allows employees to log in from outside the office, according to the company's website.
This disclosure comes shortly after Ivanti identified two previous bugs in Connect Secure, tracked as CVE-2023-46805 and CVE-2024-21887. Security researchers say the bug has been exploited by Chinese-backed hackers since December to infiltrate customer networks and steal information. .
Data now shows that one of the newly discovered flaws, the server-side request forgery flaw CVE-2024-21893, is being actively exploited.
Ivanti has since patched the vulnerability, but security researchers expect the impact on organizations to be even greater as more hacking groups exploit the flaw. Stephen Adair, founder of cybersecurity firm Volexity, which tracks exploits of Ivanti vulnerabilities, said proof-of-concept exploit code is now publicly available and “unpatched and accessible over the internet. The device has likely been compromised multiple times.” ”
Piotr Kijewski, chief executive officer of the Shadowserver Foundation, a nonprofit organization that scans and monitors Internet abuse, told TechCrunch on Thursday that the organization has received more than 630 unique reports attempting to exploit server-side flaws. He said he is observing the IPs and giving them access to the attackers. Access data on vulnerable devices.
This is a sharp increase compared to last week, Shadowserver said. 170 unique IPs observed Attempting to exploit a vulnerability.
Analysis of the new server-side flaw shows that this bug can be exploited to bypass Ivanti's original mitigations for the initial exploit chain involving the first two vulnerabilities, effectively disabling pre-patch mitigations. It has been shown that
Kijewski added that Shadowserver currently monitors approximately 20,800 Ivanti Connect Secure devices exposed to the internet, down from 22,500 last week, but that He said it is unclear how many machines are vulnerable to exploitation.
Although it is not clear who is behind the large-scale exploit, security researchers believe that the exploitation of Connect Secure's first two bugs was the work of a Chinese government-backed hacking group, likely motivated by espionage. That's what I think.
Ivanti previously said it was aware of a “targeted” exploitation of a server-side bug aimed at a “limited number of customers.” Despite repeated requests from TechCrunch this week, Ivanti did not comment on reports that the flaw was being exploited in large quantities, but it did not dispute Shadowserver's findings.
Ivanti began releasing patches for all vulnerabilities to customers earlier this month, along with a second mitigation. However, Ivanti says in a security advisory (last updated February 2) that it “releases patches with the highest number of installs first, and then releases patches in order of decreasing number of installs.”
It's unclear when Ivanti will provide patches to all potentially vulnerable customers.
Days after U.S. cybersecurity agency CISA ordered federal agencies to urgently disconnect all Ivanti VPN appliances, reports of mass exploitation of another Ivanti flaw were released. CISA has given just two days to disconnect home appliances due to the agency's warning, citing the “serious threat” posed by a vulnerability that is under active attack.