Researchers say attackers are mass-exploiting new Ivanti VPN flaw


Share post:

Hackers have begun mass exploiting a third vulnerability affecting Ivanti’s widely used enterprise VPN appliance, new public data shows.

Last week, Ivanti said it had discovered two new security flaws — tracked as CVE-2024-21888 and CVE-2024-21893 — affecting Connect Secure, its remote access VPN solution used by thousands of corporations and large organizations worldwide. According to its website, Ivanti has more than 40,000 customers, including universities, healthcare organizations, and banks, whose technology allows their employees to log in from outside the office.

The disclosure came not long after Ivanti confirmed two earlier bugs in Connect Secure, tracked as CVE-2023-46805 and CVE-2024-21887, which security researchers said China-backed hackers had been exploiting since December to break into customer networks and steal information.

Now, data shows that one of the newly discovered flaws — CVE-2024-21893, a server-side request forgery flaw — is being mass exploited.

Although Ivanti has since patched the vulnerabilities, security researchers expect more impact on organizations to come as more hacking groups are exploiting the flaw. Steven Adair, founder of cybersecurity company Volexity, a security company that has been tracking exploitation of the Ivanti vulnerabilities, warned that now proof-of-concept exploit code is public, “any unpatched devices accessible over the Internet have likely been compromised several times over.”

Piotr Kijewski, chief executive of Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for exploitation, told TechCrunch on Thursday that the organization has observed more than 630 unique IPs attempting to exploit the server-side flaw, which allows attackers to gain access to data on vulnerable devices.

That’s a sharp increase compared to last week when Shadowserver said it had observed 170 unique IPs attempting to exploit the vulnerability.

An analysis of the new server-side flaw shows the bug can be exploited to bypass Ivanti’s original mitigation for the initial exploit chain involving the first two vulnerabilities, effectively rendering those pre-patch mitigations moot.

Kijewski added that Shadowserver is currently observing around 20,800 Ivanti Connect Secure devices exposed to the internet, down from 22,500 last week, though he noted that it isn’t known how many of these Ivanti devices are vulnerable to exploitation.

It’s not clear who is behind the mass exploitation, but security researchers attributed the exploitation of the first two Connect Secure bugs to a China government-backed hacking group likely motivated by espionage.

Ivanti previously said it was aware of “targeted” exploitation of the server-side bug aimed at a “limited number of customers.” Despite repeated requests by TechCrunch this week, Ivanti would not comment on reports that the flaw is undergoing mass exploitation, but did not dispute Shadowserver’s findings.

Ivanti began releasing patches to customers for all of the vulnerabilities alongside a second set of mitigations earlier this month. However, Ivanti notes in its security advisory — last updated on February 2 — that it is “releasing patches for the highest number of installs first and then continuing in declining order.”

It’s not known when Ivanti will make the patches available to all of its potentially vulnerable customers.

Reports of another Ivanti flaw being mass-exploited come days after U.S. cybersecurity agency CISA ordered federal agencies to urgently disconnect all Ivanti VPN appliances. The agency’s warning saw CISA give agencies just two days to disconnect appliances, citing the “serious threat” posed by the vulnerabilities under active attack.

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Waymo can now charge for robotaxi rides in LA and on San Francisco freeways

Waymo received approval Friday afternoon from the California Public Utilities Commission to operate a commercial robotaxi service...

Rabbit’s Jesse Lyu on the nature of startups: ‘Grow faster, or die faster,’ just don’t give up

Rabbit co-founder and CEO Jesse Lyu isn’t afraid of death… the death of the company, at least....

Stay up-to-date on the amount of venture dollars going to underrepresented founders

Venture capital funding has never been robust for women or Black and brown founders. Alongside Crunchbase, we’ve...

MWC 2024: Everything announced so far, including Swayy’s app to tell friends where you’ll be next

The TechCrunch team is in Barcelona this week to bring you all the action going on at...

Is there anything AI can’t do?

Welcome to Startups Weekly — your weekly recap of everything you can’t miss from the world of...

Ultraleap is bringing haptic touch to cars and VR headsets

In May 2019, Ultrahaptics and Leap Motion became Ultraleap (not to be confused with Magic Leap, which...

Rants, AI and other notes from Upfront Summit

The venture capital stars were shining in Los Angeles this week at the Upfront Summit, an invite-only...

Threads says it will make its API broadly available by June

Meta-owned social network Threads said today that it will make its API broadly available to developers by...