Ivanti Secure VPN: Chinese Threat Actor Exploits Zero-Day Vulnerabilities, Compromises Systems

January 13, 2024
1 min read

TLDR: Two zero-day vulnerabilities have been discovered in Ivanti Secure VPN, a popular VPN solution used by organizations worldwide. The vulnerabilities, dubbed CVE-2023-46805 and CVE-2024-21887, allow an attacker to execute remote code without authentication and compromise affected systems. The vulnerabilities are currently being exploited in the wild by a Chinese threat actor known as UTA0178. The threat actor has been deploying webshells, modifying files, and stealing credentials. The majority of the exposed VPN appliances are located in the United States, followed by Japan and Germany. A mitigation method has been provided by Ivanti until a patch is available.

• Two zero-day vulnerabilities have been discovered in Ivanti Secure VPN, allowing remote code execution and compromise of affected systems.
• The vulnerabilities are being used in the wild by a Chinese threat actor known as UTA0178.
• Most of the exposed VPN appliances are located in the United States, followed by Japan and Germany.
• A mitigation method has been released by Ivanti until full patches are available.

Two zero-day vulnerabilities have been discovered in Ivanti Secure VPN, a popular VPN solution used by organizations worldwide. The vulnerabilities, dubbed CVE-2023-46805 and CVE-2024-21887, allow an attacker to execute remote code without authentication and compromise affected systems. The vulnerabilities are particularly concerning because they are currently being exploited in the wild by a Chinese nation-state threat actor known as UTA0178.

The first vulnerability, CVE-2023-46805, is an authentication bypass vulnerability that allows an attacker to access restricted resources by bypassing control checks. The second vulnerability, CVE-2024-21887, is a command injection vulnerability that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands.

According to Patrice Auffret, founder and CEO of ONYPHE, a French cyber defense search engine, there are 29,664 Ivanti Secure VPN appliances connected to the internet. Of these, over 40% are located in the US, followed by Japan (14.3%) and Germany (8.48%).

The threat actor UTA0178 has been observed deploying webshells and modifying files to steal credentials and move from system to system. The attacker has been collecting newly harvested credentials on every system and dumping a full image of the Active Directory database. The threat actor also modified the JavaScript loaded by the web login page for the VPN appliance to capture any credentials provided.

To detect and mitigate these vulnerabilities, organizations are advised to perform network traffic analysis, VPN device log analysis, and use the integrity checker tool provided by Ivanti. A mitigation method has been released by Ivanti until full patches are available.

Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.