Cybersecurity

APT Group Exploits Newly Discovered Zero-Day in Ivanti VPNs

Highlights

  • Hackers target Ivanti VPN with zero-day exploits.
  • APT exploits involve command injection, auth bypass.
  • Mandiant advises immediate application of patches.
NEWSLINKER
NEWSLINKER

A newly found vulnerability in Ivanti Connect Secure VPNs has been actively exploited by an APT hacker group, identified by Google’s Mandiant cybersecurity team. These flaws are especially problematic because they are zero-days, which means the software vendor is unaware of them at the time of exploitation, rendering immediate patches unfeasible.

Contents
Escalation of VPN ExploitsIdentified Zero-Day ExploitsMandiant’s Assessment and Recommendations

Escalation of VPN Exploits

Such vulnerabilities are increasingly attractive to cybercriminals as more people depend on VPNs for secure online communication. The APT group’s exploitation activities include command injection and authentication bypass, which could lead to total network control.

Identified Zero-Day Exploits

The specific vulnerabilities identified by Ivanti’s security team include CVE-2023-46805, which allows for authentication bypass, and CVE-2024-21887, which permits command injection. The exploitation began in December 2023, and Ivanti has been working closely with Mandiant to address these issues and provide security measures.

Post-exploitation, the attackers deployed custom malware and tools such as PySoxy and BusyBox. They also used a Perl script and a shell script dropper called THINSPOOL to maintain persistence and evade detection. This script allowed them to remount read-only sections of the system and insert the LIGHTWIRE web shell into a legitimate Connect Secure file.

LIGHTWIRE, along with another tool called WIREFIRE, provides the attackers with a persistent and lightweight foothold within the compromised VPN appliances, underscoring their intent for sustained access and espionage.

Mandiant’s Assessment and Recommendations

Although Mandiant’s analysts could not ascertain the origin of the threat actors due to limited data, the use of zero-day vulnerabilities to target edge infrastructure is not unprecedented. The group’s approach is characteristic of espionage efforts, as they focus on residing at the network perimeter, exploiting zero-days, commandeering devices, and remaining undetected. Cybersecurity experts strongly advise the immediate application of available security patches to counteract such threats.

You can follow us on Youtube, Telegram, Facebook, Linkedin, Twitter ( X ), Mastodon and Bluesky

You Might Also Like

Russian Cyber Group Strikes NATO and Ukraine, Hits Key Sectors

International Sting Disrupts Core Ransomware Infrastructure

Authorities Disrupt DanaBot Cybercrime Network with Global Effort

Global Operation Disrupts 10 Million Device Malware Network

Russian Cyber Group Targets Western Firms Supporting Ukraine

Share This Article
By NEWSLINKER
NEWS LINKER is your premier source for the latest in business, finance, science, gaming, and technology. We are dedicated to bringing you the most accurate, timely, and engaging content from across these dynamic industries. Dive deep into the world of cutting-edge developments, breakthroughs, market trends, and game-changing innovations..
Previous Article Introducing Samsung’s Galaxy S24 Ultra: A Cinematic Showcase with Emma Myers
Next Article Samsung Enhances One UI Home with Latest Update

Stay Connected

Latest News

Google Detects Chinese-Linked Cyber Attacks Using Calendar Service
Technology
Tesla Brings iPhone Live Charging Updates to Supercharger Users
Apple Electric Vehicle
Salesforce Bets on Informatica to Boost Enterprise AI Capabilities
AI
Nvidia Seeks Entry into Portable Gaming SoC Market
Computing
Telegram Integrates Grok AI as Legal and Global Pressures Intensify
AI