Jump to content

Ivanti VPN security flaws are being attacked again by Chinese hackers


TechRadar

Recommended Posts

rssImage-696161d88e476dd4171e8228e83b5091.jpeg

The recently discovered Ivanti VPN security flaws are still being abused, researchers have claimed - with Chinese hackers now taking advantage of the vulnerabilities to deploy all kinds of malware.

Cybersecurity researchers from Google-owned Mandiant have claimed the Chinese group UNC5325 is using a combination of living-off-the-land techniques to prevent being detected on the devices, as it drops novel malware

This malware, the researchers argue, can survive factory resets, system upgrades, and patches. 

Unsupported OS and other woes

In order to achieve it, the Chinese hackers gained a “nuanced understanding” and “significant knowledge” of the Ivanti Connect Secure appliance. Users should “immediately take action to ensure protection if they haven't done so already,” Mandiant says, pointing the users to the direction of Ivanti’s latest security advisory

Furthermore, users should use Ivanti’s new external integrity checker, as well as Mandiant’s updated Hardening Guide.

The researchers also said that there is a possibility of a second threat actor, tracked as UNC3886, also jumping on the bandwagon. While some reports put this threat actor under the command of the Chinese government, others argue that UNC5325 and UNC3886 are the same entity. 

In early January 2024, Ivanti reported discovering and patching a critical remote code execution (RCE) vulnerability in one of its products, which could have allowed threat actors to drop all kinds of malware. Soon after, all hell broke loose for Ivanti, as it later discovered a handful of additional vulnerabilities, which were getting exploited on a massive scale, by threat actors from all over the world. 

Subsequent investigation uncovered that Ivanti used the CentOS 6.4. operating system for its products, which was unsupported for years at that point: 

"Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020," security analysts from Eclypsium said in a report analyzing firmware version 9.1.18.2-24467.1.

In early February, the US government told its agencies using Ivanti Connect Secure and Ivanti Policy Secure to disconnect these solutions immediately and not turn them back on until they’re absolutely certain they’ve been properly patched, and their networks disinfected from possible hacker incursions.

The patches Ivanti released are effective, but only if they were applied before any incursions. If a threat actor established persistence on an endpoint beforehand, applying the fix will not help.

More from TechRadar Pro

View the full article

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...