Zero-day vulnerabilities in Ivanti Connect Secure, a widely used VPN product, have resulted in mass exploitation, affecting more than 1,700 devices globally. The primary threat actor behind these compromises is believed to be a Chinese group known as UTA0178, with other threat actors also actively targeting organizations. Ivanti has issued an advisory and recommended immediate application of mitigation measures. However, patches will not be released until the week of January 22.

Widespread Exploitation of Ivanti Vulnerabilities

Threat intelligence and incident response firm Volexity has observed widespread exploitation of the zero-day vulnerabilities in Ivanti Connect Secure VPN. The attacks have targeted a broad spectrum of organizations worldwide, including government, military, telecoms, defense, technology, banking, finance, accounting, consulting, aerospace, aviation, and engineering sectors. The threat actors behind the attacks are likely linked to China, with others, including UTA0188, also attempting to exploit the vulnerabilities.

Global Impact and Urgent Mitigation

Volexity's analysis has identified evidence of compromise on over 1,700 devices worldwide. Customers range from small businesses to Fortune 500 companies and include global government and military departments, national telecommunications companies, and defense contractors, as well as technology, finance, and aerospace sectors. Given the sharp increase in threat activity related to the vulnerabilities, Ivanti is advising customers to apply the mitigation measures immediately.

Chained Vulnerabilities and Cybersecurity Measures

The exploitation involves chained vulnerabilities CVE 2024-21887 and CVE 2023-46805, leading to compromised devices and backdoored webshells. Volexity developed a scanning method to detect evidence of compromise and identified over 1,700 compromised Ivanti Connect Secure VPN appliances. While the Ivanti mitigation is crucial, the number of compromised organizations may be higher than current detection methods reveal.