More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll

Both China-backed APTs and ordinary cyberattackers have seized on a pair of Ivanti VPN bugs for global exploitation.

a snowball in snow
Source: imageBROKER via Alamy Stock Photo

Ivanti has finally begun patching a pair of zero-day security vulnerabilities disclosed on Jan. 10 in its Connect Secure VPN appliances. However, it also announced two additional bugs today in the platform, CVE-2024-21888 and CVE-2024-21893 — the latter of which is also under active exploitation in the wild.

Ivanti has released its first round of patches for the original set of zero-days (CVE-2024-21887 and CVE-2023-46805) but only for some versions; additional fixes will roll out on a staggered schedule in the coming weeks, the company said in its updated advisory today. In the meantime, Ivanti has provided a mitigation that unpatched organizations should apply immediately to avoid falling victim to mass exploitation by Chinese state-sponsored actors and financially motivated cybercriminals alike.

Multiple Custom Malwares Anchor Data Theft Attacks

That exploitation continues unabated. According to Mandiant, a China-backed advanced persistent threat (APT) it calls UNC5221 has been behind reams of exploitations going back to early December. But activity in general has ramped up considerably since CVE-2024-21888 and CVE-2024-21893 were made public earlier in January.

"In addition to UNC5221, we acknowledge the possibility that one or more related groups may be associated with the activity," Mandiant researchers said in an Ivanti cyberattack analysis released today. "It is likely that additional groups beyond UNC5221 have adopted one or more of [the] tools [associated with the compromises]."

To that point, Mandiant issued additional information on the types of malware that UNC5221 and other actors are using in the attacks on Ivanti Connect Secure VPNs. So far, implants they observed in the wild include:

  • A variant of the LightWire Web shell that inserts itself into a legitimate component of the VPN gateway, now featuring a different obfuscation routine.

  • Two UNC5221 custom Web shells, called "ChainLine" and "FrameSting," which are backdoors embedded in Ivanti Connect Secure Python packages that enable arbitrary command execution.

  • ZipLine, a passive backdoor used by UNC5221 that uses a custom, encrypted protocol to establish communications with command-and-control (C2). Its functions include file upload and download, reverse shell, proxy server, and a tunneling server.

  • New variants of the WarpWire credential-theft malware, which steals plaintext passwords and usernames for exfiltration to a hard-coded C2 server. Mandiant does not attribute all of the variants to UNC5221.

  • And multiple open source tools to support post-exploitation activities like internal network reconnaissance, lateral movement, and data exfiltration within a limited number of victim environments.

"Nation-state actors UNC5221 have successfully targeted and exploited vulnerabilities in Ivanti to steal configuration data, modify existing files, download remote files, and reverse tunnel within networks," says Ken Dunham, cyber-threat director at Qualys Threat Research Unit, who warns Ivanti users to be on the lookout for supply chain attacks on their customers, partners, and suppliers. "Ivanti is likely targeted due [to] the functionality and architecture it provides actors, if compromised, as a networking and VPN solution, into networks and downstream targets of interest."

In addition to these tools, Mandiant researchers flagged activity that uses a bypass for Ivanti's initial stopgap mitigation technique, detailed in the original advisory; in these attacks, unknown cyberattackers are deploying a custom cyber-espionage Web shell called "Bushwalk," which can read or write to files to a server.

"The activity is highly targeted, limited, and is distinct from the post-advisory mass exploitation activity," according to the researchers, who also provided extensive indicators of compromise (IoCs) for defenders, and YARA rules.

Ivanti and CISA released updated mitigation guidance yesterday that organizations should apply.

Two Fresh High-Severity Zero-Day Bugs

In addition to rolling out patches for the three-week-old bugs, Ivanti also added fixes for two new CVEs to the same advisory. They are:

  • CVE-2024-21888 (CVSS score: 8.8): A privilege escalation vulnerability in the Web component of Ivanti Connect Secure and Ivanti Policy Secure, allowing cyberattackers to gain administrator privileges.

  • CVE-2024-21893 (CVSS score: 8.2): A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, allowing cyberattackers to access "certain restricted resources without authentication."

Only exploits for the latter have circulated in the wild, and the activity "appears to be targeted," according to Ivanti's advisory, but it added that organizations should "expect a sharp increase in exploitation once this information is public — similar to what we observed on 11 January following the 10 January disclosure."

Qualys TRU's Dunham says to expect attacks from more than just APTs: "Multiple actors are taking advantage of vulnerability exploitation opportunities prior to organizations patching and hardening against attack Ivanti is weaponized by nation-state actors and now likely others — it should have your attention and priority to patch, if you're using vulnerable versions in production."

Researchers also warn that the result of a compromise can be dangerous for organizations.

"These [new] Ivanti high-security flaws are serious [and particularly valuable for attackers], and should be patched immediately," says Patrick Tiquet, vice president of security and architecture at Keeper Security. "These vulnerabilities, if exploited, can grant unauthorized access to sensitive systems and compromise an entire network."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights