NSA says it’s tracking Ivanti cyberattacks as hackers hit US defense sector


Share post:

The U.S. National Security Agency has confirmed that hackers exploiting flaws in Ivanti’s widely used enterprise VPN appliance have targeted organizations across the U.S. defense sector.

NSA spokesperson Edward Bennett confirmed in an emailed statement to TechCrunch on Friday that the U.S. intelligence agency, along with its interagency counterparts, is “tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include of the [sic] U.S defense sector.”

“The [NSA’s] Cybersecurity Collaboration Center continues to work with our partners to detect and mitigate this activity,” the spokesperson added.

Confirmation that the NSA is tracking these cyberattacks comes days after Mandiant reported that suspected Chinese espionage hackers have made “mass attempts” to exploit multiple vulnerabilities impacting Ivanti Connect Secure, the popular remote access VPN software used by thousands of corporations and large organizations worldwide.

Mandiant said earlier this week that the China-backed hackers tracked as a threat group it calls UNC5325 had targeted organizations across a variety of industries. This includes the U.S. defense industrial base sector, a worldwide network of thousands of private sector organizations that provide equipment and services to the U.S. military, Mandiant said, citing earlier findings from security firm Volexity.

In its analysis, Mandiant said UNC5325 demonstrates “significant knowledge” of the Ivanti Connect Secure appliance and has employed living-off-the-land techniques — the use of legitimate tools and features already found in the targeted system — to better evade detection, Mandiant said. The China-backed hackers have also deployed novel malware “in an attempt to remain embedded in Ivanti devices, even after factory resets, system upgrades, and patches.”

This was echoed in an advisory released by U.S. cybersecurity agency CISA on Thursday, which warned that hackers exploiting vulnerable Ivanti VPN appliances may be able to maintain root-level persistence even after performing factory resets. The federal cybersecurity agency said its own independent tests showed successful attackers are capable of deceiving Ivanti’s Integrity Checker Tool, which can result in a “failure to detect compromise.”

In response to CISA’s findings, Ivanti field chief information security officer Mike Riemer downplayed CISA’s findings, telling TechCrunch that Ivanti does not believe CISA’s tests would work against a live customer environment. Riemer added that Ivanti “is not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”

It remains unknown exactly how many Ivanti customers are affected by the widespread exploitation of the Connect Secure vulnerabilities, which began in January.

Akamai said in an analysis published last week that hackers are launching approximately 250,000 exploitation attempts each day and have targeted more than 1,000 customers.


Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Tesla layoffs hit high performers, some departments slashed, sources say

Tesla management told employees Monday that the recent layoffs — which gutted some departments by 20% and...

TechCrunch Space: True Anomaly and Rocket Lab will make big moves on orbit (literally)

Hello and welcome back to TechCrunch Space. I hope everyone had a great time at Space Symposium! Hopefully I’ll see...

Meta thinks it’s a good idea for students to wear Quest headsets in class

Meta continues to field criticism over how it handles younger consumers using its platforms, but the company...

Change Healthcare stolen patient data leaked by ransomware gang

An extortion group has published a portion of what it says are the private and sensitive patient...

Open source Substack rival Ghost may join the fediverse

Ghost, the open source alternative to Substack’s newsletter platform, is considering joining the fediverse, the social network...

Elon Musk plans to charge new X users to enable posting

Elon Musk is planning to charge new X users a small fee to enable posting on the...

Apple pulls a Game Boy emulator for App Store violations, but says game emulators are allowed

Apple has removed iGBA, a Game Boy emulator app for the iPhone, after approving its launch over...

TechCrunch Minute: Where the Apple Vision Pro stands now the launch day hype has dropped off

A few months after its launch, how is Apple’s Vision Pro faring? The company’s ambitious bet on...