Cybersecurity

APT Group Exploits Newly Discovered Zero-Day in Ivanti VPNs

Highlights

  • Hackers target Ivanti VPN with zero-day exploits.
  • APT exploits involve command injection, auth bypass.
  • Mandiant advises immediate application of patches.
NEWSLINKER
NEWSLINKER

A newly found vulnerability in Ivanti Connect Secure VPNs has been actively exploited by an APT hacker group, identified by Google’s Mandiant cybersecurity team. These flaws are especially problematic because they are zero-days, which means the software vendor is unaware of them at the time of exploitation, rendering immediate patches unfeasible.

Contents
Escalation of VPN ExploitsIdentified Zero-Day ExploitsMandiant’s Assessment and Recommendations

Escalation of VPN Exploits

Such vulnerabilities are increasingly attractive to cybercriminals as more people depend on VPNs for secure online communication. The APT group’s exploitation activities include command injection and authentication bypass, which could lead to total network control.

Identified Zero-Day Exploits

The specific vulnerabilities identified by Ivanti’s security team include CVE-2023-46805, which allows for authentication bypass, and CVE-2024-21887, which permits command injection. The exploitation began in December 2023, and Ivanti has been working closely with Mandiant to address these issues and provide security measures.

Post-exploitation, the attackers deployed custom malware and tools such as PySoxy and BusyBox. They also used a Perl script and a shell script dropper called THINSPOOL to maintain persistence and evade detection. This script allowed them to remount read-only sections of the system and insert the LIGHTWIRE web shell into a legitimate Connect Secure file.

LIGHTWIRE, along with another tool called WIREFIRE, provides the attackers with a persistent and lightweight foothold within the compromised VPN appliances, underscoring their intent for sustained access and espionage.

Mandiant’s Assessment and Recommendations

Although Mandiant’s analysts could not ascertain the origin of the threat actors due to limited data, the use of zero-day vulnerabilities to target edge infrastructure is not unprecedented. The group’s approach is characteristic of espionage efforts, as they focus on residing at the network perimeter, exploiting zero-days, commandeering devices, and remaining undetected. Cybersecurity experts strongly advise the immediate application of available security patches to counteract such threats.

You can follow us on Youtube, Telegram, Facebook, Linkedin, Twitter ( X ), Mastodon and Bluesky

You Might Also Like

Microsoft Seizes 240 Sites Tied to Egyptian Phishing Kit Seller

Meta Removes Millions of Scam Accounts Linked to ‘Pig Butchering’

Crum & Forster Launches Liability Coverage for CISOs

Authorities Charge Five for Scattered Spider Cyber Attacks

Senator Pushes FCC to Implement Telecom Wiretap Security Measures

Share This Article
Avatar
By NEWSLINKER
NEWS LINKER is your premier source for the latest in business, finance, science, gaming, and technology. We are dedicated to bringing you the most accurate, timely, and engaging content from across these dynamic industries. Dive deep into the world of cutting-edge developments, breakthroughs, market trends, and game-changing innovations..
Previous Article Introducing Samsung’s Galaxy S24 Ultra: A Cinematic Showcase with Emma Myers
Next Article Samsung Enhances One UI Home with Latest Update

Stay Connected

Latest News

Early Stars Electrified Universe’s Largest Magnetic Fields
Space
Big Tech Invests $240 Billion in AI in 2024
AI
Nvidia May Reveal RTX 5070 Ti at CES 2025
Computing
Latest Hints Released for Today’s Wordle Challenge
Gaming
Investor Reallocates Holdings from Uber to Tesla
Electric Vehicle