Ivanti zero-day exploits explode as bevy of attackers get in on the act

Customers still patchless and mitigation only goes so far

There's a "reasonable chance" that Ivanti Connect Secure (ICS) VPN users are already compromised if they didn't apply the vulnerability mitigation released last week, experts say.

The latest data from Volexity shows that successful exploits of two Ivanti zero-days have accelerated sharply to more than 1,700 devices.

Citing the new figures, Christopher Glyer, principal security researcher at Microsoft Threat Intelligence Center, said: "If you didn't apply Ivanti Connect Secure VPN mitigation on January 10, reasonable chance you were exploited – mass exploitation by same actor started on January 11 and compromised at least 1,700 devices."

Mandiant's report on January 11, a day after the initial disclosure, noted that fewer than 20 devices were compromised at the time, which underlines how quickly the attacks have escalated.

There's also evidence to suggest that attackers beyond the group responsible now have their hands on a working exploit, which might offer a partial explanation for the shift toward mass exploitation.

The new wave of attacks are against everything from small businesses to some of the largest in the world, including multiple Fortune 500 companies, according to Volexity.

Victims range from governments, militaries, telcos, tech companies, financial services firms, and aerospace, among others.

The vast majority of the successful compromises are being pinned to UTA0178 – a group Volexity believes to have a nexus in China, although Mandiant has said there isn't enough data to confirm. A minority of cases have also come from other criminal groups who have since obtained a working exploit.

"In addition to the discovery of widespread exploitation undertaken by UTA0178, analysis of logs from various ICS VPN appliances showed likely attempted exploitation by other threat actors, with noticeably poorer operational security than UTA0178," Volexity's researchers said.

"Based on analysis of these logs, nearly two dozen IP addresses attempted exploitation using the correct URI pattern or similar URI patterns required for exploitation, with no documentation of this URI pattern in the public domain. These IP addresses appear to be a mix of private VPS instances and compromised network appliances, although no Cyberoam devices have been observed."

A separate group that Volexity tracks as UTA0188 is also thought to be behind some of the exploit attempts, though further detail about that is hidden behind a paywalled article (TIB-20240115).

While the zero-days are now at "mass exploitation" level, Volexity believes the true number of compromised appliances may be even higher. Its scanning methodology doesn't pick up attacked appliances after the mitigation was applied, and there was a period in which UTA0178 could have launched attacks before the issue was publicly disclosed.

Most of the victims currently known to researchers have been infected with a slightly modified version of the GIFTEDVISITOR webshell – one of the two identified by Volexity at the time of the zero-days' initial disclosure

It's worth noting that Mandiant's list of identified tools is much longer.

"The attacker used an identical webshell to that observed in the first incident investigated by Volexity, but they replaced the AES key used with a truncated UUID string," Volexity's researchers said

"This AES key format differed from the one initially discovered, which simply had the value 1234567812345678. Volexity's analysis of multiple devices shows that a unique AES key has likely been employed on each victim system as part of the widespread compromise."

According to data taken from ShadowServer, the largest concentration of ICS appliances still vulnerable to the zero-days remains in the US (~1,500), closely followed by Japan (957), China (436), Taiwan (406), and South Korea (402). 

Germany has the most exposures in Europe with 385 appliances, with France and the UK following with 279 and 250 respectively.

If they haven't already, users are advised to run Ivanti's internal and external Integrity Checker Tool which detects the ongoing compromises until patches are made available. That said, this mitigation will only detect a compromise. If one is found, users will need to manually take action to reverse any malicious activity that occurred after the fact.

"Collecting logs, system snapshots, and forensics artifacts (memory and disk) from the device are crucial," Volexity said. "Pivoting to analyzing internal systems and tracking potential lateral movement should be done as soon as possible. Further, any credentials, secrets, or other sensitive data that may have been stored on the ICS VPN appliance should be considered compromised. This may warrant password resets, changing of secrets, and additional investigations.

The researchers said they "strongly" recommend that organizations look for signs of lateral movement internally from their ICS VPN appliance that "is not consistent with expected behavior from the device." They added: "Proactive checks of any externally facing infrastructure may also be warranted if internal visibility is limited." ®

More about


Send us news

Other stories you might like