China-Backed Hackers Exploit Ivanti VPN Zero-Day Vulnerabilities

Some reports suggest that more than 15,000 appliances have been compromised.

Reading time icon 3 min. read


Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

China-Backed Hackers Exploit Ivanti VPN Zero-Day Vulnerabilities

Hackers supported by the Chinese government are currently exploiting two vulnerabilities in Ivanti VPN.

The prominent US IT software company has stated that fixes won’t be available until the end of the month.

Two zero-day vulnerabilities found in Ivanti VPN

Ivanti shared information about the ongoing attack on Wednesday, a month after threat intelligence and incident suppression services firm, Volexity, discovered it.

According to the company, the vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887, are severe. They allow attackers to execute commands on Ivanti’s Connect Secure VPN appliance, also called Pulse Secure.

They can then further extract configuration data, manipulate existing files, download remote files, and create a reverse tunnel from the ICS VPN appliance.

Ivanti claimed that less than 10 customers have been impacted. However, security researchers have said that there are thousands of active Secure Connect appliances on the internet and that the number of victims will grow.

Cybersecurity expert Kevin Beaumont shared scan results suggesting that more than 15,000 Ivanti appliances have been compromised.

The investigators at Volexity linked the attack to a China-backed hacking group tracked as UTA0178, due to internet domains used during the infiltration.

Volexity first became aware of the issue after one of its customers was impacted. The company detected suspicious activity on their network earlier in December and said the issue may have been present since December 3.

The investigators initially discovered that the VPN’s traffic logs had been deleted and logging disabled. Further evidence showed that hackers have combined two zero-day vulnerabilities to compromise the VPN appliance.

They found out that in the attacks on the VPN, hackers had keylogged and stolen user credentials. This is highly concerning as many employees use Ivanti VPN for remotely logging into internal networks.

Suggested mitigation method

After revealing details of the threat, Ivanti has also suggested a way to bypass it. It released an XML file customers can download and use to degrade some of the VPN’s crucial features, to limit the amount of damage the attacker can do.

It recommends using this mitigation technique until an official patch starts rolling out in the week of January 22.

The US cybersecurity agency CISA also urged users and administrators to start employing the workaround immediately.

This fix, however, doesn’t resolve past or ongoing compromises and only prevents hackers from affecting more users.

The company also advised customers to use its Integrity Checker tool to discover whether their VPN appliance has already been compromised.

Previous incidents

Ivanti is no stranger to zero-day vulnerabilities. It already experienced three previous incidents in 2023. Like the ongoing one, these attacks have been linked to China-backed hackers.

In one of the attacks, the threat actors had compromised multiple Norwegian government agencies through Ivanti Endpoint Manager Mobile. The same software was used by government departments in the US and UK.

CISA and the Norwegian National Cyber Security Centre (NCSC-NO) have said that hackers have been abusing this flaw for months.

The latest incident came in August when Ivanti’s mobile gateway, Sentry, was targeted. The vulnerability had a severity rating of 9.8 out of 10.

User forum

0 messages