Ivanti Zero-Day Exploits Skyrocket Worldwide; No Patches Yet

Thousands of Ivanti VPN instances have been compromised across the globe in the last five days thanks to two serious, as yet unpatched zero-day vulnerabilities disclosed last week.

Ivanti Connect Secure (ICS) VPN is a virtual private network (VPN) tool that remotely connects mobile devices with corporate network resources, making it an attractive target for hackers looking to gain initial hooks into corporate IT environments.

ICS VPN takeovers have been shooting up worldwide, ever since the two new bugs were disclosed on Jan. 10. To make matters worse: There won't be patches available for at least a few more days.

"The main fear is that, at a lot of organizations, this gives unfettered access — an immediate way to get into their network," warns Steven Adair, president of Volexity.

Thousands of Exploits in Ivanti VPNs

Each of the two ICS VPN bugs is powerful on its own, but they prove most effective in tandem.

First, CVE-2023-46805 — a high-severity 8.2 CVSS-scored vulnerability — allows attackers to bypass authentication checks.

Then CVE-2024-21887, rated a critical 9.1 out of 10, allows the unfairly authenticated user to send specially crafted requests and run arbitrary commands on the tricked device.

UTA0178, a group Volexity believes works for the Chinese state, appears to have leveraged the two bugs as zero-days, in attacks dating back to early December. With the access so afforded, it backdoored a small handful of organizations with a Web shell called "GiftedVisitor." From there, the attackers performed reconnaissance and data collection, Adair says, though he adds that "we have a fairly limited number of cases where we know the attacker really went all-in on the victim."

The threat landscape changed once Ivanti and Volexity broke news of the bug last week. In the days that followed, thousands of new infections spread across the globe, with a Jan. 15 scan of 30,000 devices identifying at least 1,700 tainted VPNs.

The majority of these could be attributed to UTA0178, which seems to have used the news as impetus to act before most organizations had time to harden themselves. However, there appear to be attempted exploitations by other threat actors as well.

Victims thus far have run the gamut: from small organizations to Fortune 500 companies, across the military and government, telecommunications and finance, and more. Most infections are concentrated in the United States, but they also span every other continent: Guyana to Germany, Egypt, Thailand, Australia, and so on.

What to Do if You're Affected

As yet there's no available patch for either ICS VPN vulnerability, and Ivanti is expected to be working on those for a while longer: Jan. 22 for CVE-2023-46805's, and Feb. 19 to fix CVE-2024-21887.

In the meantime, there are two things customers can do.

On the day of the disclosure, Ivanti released a mitigation for blocking potential exploitations. It's not a patch — it doesn't solve the underlying vulnerabilities — but it is designed to catch and root out potential attempts to exploit them.

Of course, such a preventative measure doesn't account for the thousands of existing compromises. For those — and, really, any devices that haven't been fully examined yet — Ivanti VPN has a built-in Integrity Checker Tool that can detect compromises of the kind carried out by UTA0178.

Then, Adair advises, "follow your incident response playbook from there. Isolating the device is something you want to do, and then kind of kick off your investigation, which may involve opening a support ticket with Ivanti to learn more. Then get these relevant files decrypted, or involve your incident response providers so they can help investigate and dig in a bit deeper."