therecord.media
Open in
urlscan Pro
2606:4700:4400::6812:2a1e
Public Scan
URL:
https://therecord.media/ivanti-vpn-vulnerabilities-exploited-devices-worldwide
Submission: On November 27 via api from IN — Scanned from US
Submission: On November 27 via api from IN — Scanned from US
Form analysis 1 forms found in the DOM
<form data-hs-cf-bound="true"><span class="text-black text-sm icon-search"></span><input name="s" placeholder="Search…" type="text" value=""><button type="submit">Go</button></form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * Elections * Technology * Cyber Daily® * Click Here Podcast Go Subscribe to The Record ✉️ Free Newsletter Jonathan Greig January 16th, 2024 * Technology * News * * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. IVANTI SPOTS ‘SHARP INCREASE’ IN TARGETING OF VPN AS ANALYSTS FIND 1,700 DEVICES EXPLOITED Ivanti said it is seeing a spike in hackers targeting two recently disclosed vulnerabilities in its Connect Secure VPN product, as cybersecurity researchers also sized up the extent of the damage. Since issuing an advisory last week, “we have seen a sharp increase in threat actor activity and security researcher scans” concerning the bugs, an Ivanti spokesperson said in comments to The Record. Overall, more than 1,700 devices have been exploited worldwide since the IT giant notified the public about the issue, researchers at Volexity said on Monday. Volexity discovered and reported the issues, tracked as CVE-2023-46805 and CVE-2024-21887, to Ivanti in early December. The Ivanti spokesperson said that a mitigation issued January 10 and other tools should help administrators looking to stop exploitation of the vulnerabilities. Ivanti is still in the process of developing an official patch for the issue. “The security of our customers is our top priority, and we strongly advise all customers to apply the mitigation immediately,” the spokesperson said. “This is an evolving situation, and we have provided additional guidance to customers on steps they can take to ensure the threat actor is not able to gain persistence in their environment.” Company officials “regularly work with the appropriate government agencies on coordinated disclosure” of vulnerabilities, the spokesperson said. The leading cybersecurity agencies in both the U.S. and U.K. have released advisories and ordered government departments to patch the bugs as soon as possible. Concerns about CVE-2023-46805 and CVE-2024-21887 have grown since they were disclosed by the IT company. At that point, Ivanti said at least 10 of its customers were impacted. Volexity and another cybersecurity company, Google’s Mandiant, previously tied the exploitation of the vulnerabilities to hackers allegedly based in China, but Volexity said attacks have expanded to multiple threat actors around the world. “Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals, including the following: global government and military departments, national telecommunications companies, defense contractors, technology, banking, finance, and accounting, worldwide consulting, aerospace, aviation, and engineering,” Volexity researchers said. THE UNMITIGATED Volexity said it began to see widespread scanning on January 11 and by Sunday, had found over 1,700 ICS VPN appliances that were compromised. They added that the appliances “appear to have been indiscriminately targeted, with victims all over the world.” The company said it has contacted national cybersecurity agencies in several countries so that local victims can be notified and urged them to reach out if they need assistance. They warned that their methodology of finding victims would not have worked with organizations that have already deployed the mitigations issued by Ivanti or have taken their devices offline. “As a result, Volexity suspects there may likely be a higher number of compromised organizations than identified through scanning (which totaled more than 1,700),” they said, warning that the China-based group behind the initial exploitation, which they tag as UTA0178, may have taken further actions. “There was likely a period in which UTA0178 could have auctioned these compromises before the mitigation was applied. Furthermore, Volexity has identified that additional attackers beyond UTA0178 appear to have access to the exploit.” Researchers at Shadowserver shared scans showing 6,809 Ivanti instances vulnerable to CVE-2023-46805. The U.S. led the way with more than 1,500 vulnerable devices while China, France and Germany also had hundreds of exposed instances. For CVE-2024-21887, other researchers found nearly 9,000 vulnerable devices around the world. Microsoft principal security researcher Christopher Glyer said that for those who did not apply the mitigation released by Ivanti on January 10, there is a “reasonable chance you were exploited.” Patches will be released on a staggered schedule based on the version of the tool a customer has, with the first coming out in the week of January 22, Ivanti said. The last version will come out the week of February 19. * * * * * * Tags * Ivanti * VPN * Vulnerability Previous articleNext article Detained Russian student allegedly helped Ukrainian hackers with cyberattacks Ford drops attempt to patent tech allowing lenders to remotely meddle with cars Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. BRIEFS * Canadian privacy regulators publish details of medical testing company’s data breachNovember 26th, 2024 * Incident response diplomacy: UK to launch new capability to help attacked alliesNovember 26th, 2024 * Retailers struggle after ransomware attack on supply chain tech provider Blue YonderNovember 25th, 2024 * South Asian hackers target Pakistani entities in new espionage campaignNovember 25th, 2024 * Meta lawsuit over Cambridge Analytica privacy scandal to proceed, Supreme Court rulesNovember 25th, 2024 * Senators call for audit of TSA’s facial recognition tech as use expands in airportsNovember 22nd, 2024 * DeliveryHero subsidiary fined $5.2 million for tracking drivers’ geolocationNovember 22nd, 2024 * Gambling and lottery giant disrupted by cyberattack, working to bring systems back onlineNovember 21st, 2024 * Dozens of Central Asian targets hit in recent Russia-linked cyber-espionage campaignNovember 21st, 2024 SCAM WEBSITES TAKE ADVANTAGE OF SEASONAL OPENINGS AND ESTABLISHED METHODS TO MAXIMIZE IMPACT Scam Websites Take Advantage of Seasonal Openings and Established Methods to Maximize Impact "OPERATION UNDERCUT" SHOWS MULTIFACETED NATURE OF SDA’S INFLUENCE OPERATIONS "Operation Undercut" Shows Multifaceted Nature of SDA’s Influence Operations RUSSIA-ALIGNED TAG-110 TARGETS ASIA AND EUROPE WITH HATVIBE AND CHERRYSPY Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY RUSSIAN SABOTAGE ACTIVITIES ESCALATE AMID FRAUGHT TENSIONS Russian Sabotage Activities Escalate Amid Fraught Tensions CHINA-NEXUS TAG-112 COMPROMISES TIBETAN WEBSITES TO DISTRIBUTE COBALT STRIKE China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike * * * * * * * Privacy * About * Contact Us © Copyright 2024 | The Record from Recorded Future News