Hackers are beginning to heavily exploit a third vulnerability affecting Ivanti's widely used enterprise VPN appliance, new public data shows.
Last week, Ivanti said it had discovered two new security flaws — tracked as CVE-2024-21888 and CVE-2024-21893 — affecting Connect Secure, its remote access VPN solution used by thousands of corporations and large organizations worldwide. According to its website, Ivanti has more than 40,000 customers, including universities, healthcare organizations and banks, whose technology allows their employees to log in from outside the office.
The disclosure comes shortly after Ivanti confirmed two bugs in Connect Secure, tracked as CVE-2023-46805 and CVE-2024-21887, that security researchers said China-backed hackers broke into customer networks and stole information since December. .
Now one of Data's newly discovered flaws — CVE-2024-21893, Server-Side Request Forgery Vulnerability — is being exploited en masse.
Although Ivanti has since patched the vulnerabilities, security researchers expect more impact on organizations as more hacking groups exploit the flaw. Steven Adair, founder of the cybersecurity company Volexity, a security firm that tracks exploits of such vulnerabilities, warned that now that the proof-of-concept exploit code is public, “any unpatched device accessible on the Internet can be compromised many times over.” It's over.”
Piotr Kijewski, chief executive of the ShadowServer Foundation, which scans and monitors the Internet for exploits, told TechCrunch on Thursday that more than 630 unique IPs are trying to exploit a server-side flaw, allowing attackers access. to data on vulnerable devices.
This is a huge increase compared to last week, according to ShadowServer It observed 170 unique IPs Trying to exploit a vulnerability.
Analysis of the new server-side flaw shows that the bug can be exploited to bypass Ivanti's original mitigation for the initial exploit chain containing the first two vulnerabilities, effectively rendering those pre-patch mitigations.
Kijewski added that ShadowServer is currently monitoring about 20,800 such connected secure devices exposed to the Internet, down from 22,500 last week, but he noted that it is not known how many such devices are being exploited.
It is not clear who is behind the mass exploit, but security researchers have attributed the exploits of the first two Connect Secure bugs to a Chinese state-backed hacking group motivated by espionage.
Ivanti previously said they were aware of a “targeted” exploit of a server-side bug targeting a “limited number of customers.” Despite repeated requests by TechCrunch this week, Ivanti would not comment on reports that the flaw was being mass exploited, but it did not dispute ShadowServer's findings.
Ivanti started releasing patches to users for all the vulnerabilities along with a second set of mitigations earlier this month. However, Ivanti said in its security advisory — last updated on Feb. 2 — that it is “releasing patches for the highest number of installs and then continuing in a declining order.”
It is not known when Ivanti will make patches available to all of its vulnerable customers.
Another Ivanti flaw comes days after US cybersecurity agency CISA ordered federal agencies to urgently disconnect all Ivanti VPN appliances. Citing the “severe threat” posed by the vulnerabilities under active attack, the agency's warning saw CISA devices given just two days to disconnect.