- Suspected state-linked hackers have been exploiting two zero-day vulnerabilities in Ivanti Connect Secure VPN devices since early December, according to research released Wednesday by Volexity.
- The vulnerabilities, which are chained together, allow attackers to remotely execute commands without authentication. The attacker, who researchers track as UTA0178, downloaded remote files, stole configuration data and modified existing files in targeted systems.
- Ivanti is working with Mandiant to mitigate the threat, but it is releasing patches under a staggered schedule starting the week of Jan. 22, according to the company. A final version will not be ready until the week of Feb. 19. Ivanti is urging customers to immediately take mitigation steps designed to protect against these attacks.
Volexity initially detected threat activity in mid-December but later traced exploits back to Dec. 3.
The attackers were observed modifying legitimate ICS components and making other changes in order to evade an ICS Integrity Checker Tool, according to Volexity.
Volexity researchers do not consider the current level of threat activity widespread. However, with mitigation steps being released, the exploit could be shared by threat groups and the timetable moved up, Steven Adair, president of Volexity, said via email.
“It would not surprise us to see more widespread exploitation moving forward,” Adair said.
Researchers from Tenable also warned that exploitation could accelerate due to the staggered release of a patch.
“Three weeks is a large window of time for attackers to develop their own or acquire from an external third party a working proof-of-concept exploit for these vulnerabilities,” said Satnam Narang, senior staff research engineer at Tenable.
The Cybersecurity and Infrastructure Security Agency added the vulnerabilities to its Known Exploited Vulnerabilities catalog, noting a significant risk to federal enterprises.