Cybersecurity

APT Group Exploits Newly Discovered Zero-Day in Ivanti VPNs

Highlights

  • Hackers target Ivanti VPN with zero-day exploits.
  • APT exploits involve command injection, auth bypass.
  • Mandiant advises immediate application of patches.
NEWSLINKER
NEWSLINKER

A newly found vulnerability in Ivanti Connect Secure VPNs has been actively exploited by an APT hacker group, identified by Google’s Mandiant cybersecurity team. These flaws are especially problematic because they are zero-days, which means the software vendor is unaware of them at the time of exploitation, rendering immediate patches unfeasible.

Contents
Escalation of VPN ExploitsIdentified Zero-Day ExploitsMandiant’s Assessment and Recommendations

Escalation of VPN Exploits

Such vulnerabilities are increasingly attractive to cybercriminals as more people depend on VPNs for secure online communication. The APT group’s exploitation activities include command injection and authentication bypass, which could lead to total network control.

Identified Zero-Day Exploits

The specific vulnerabilities identified by Ivanti’s security team include CVE-2023-46805, which allows for authentication bypass, and CVE-2024-21887, which permits command injection. The exploitation began in December 2023, and Ivanti has been working closely with Mandiant to address these issues and provide security measures.

Post-exploitation, the attackers deployed custom malware and tools such as PySoxy and BusyBox. They also used a Perl script and a shell script dropper called THINSPOOL to maintain persistence and evade detection. This script allowed them to remount read-only sections of the system and insert the LIGHTWIRE web shell into a legitimate Connect Secure file.

LIGHTWIRE, along with another tool called WIREFIRE, provides the attackers with a persistent and lightweight foothold within the compromised VPN appliances, underscoring their intent for sustained access and espionage.

Mandiant’s Assessment and Recommendations

Although Mandiant’s analysts could not ascertain the origin of the threat actors due to limited data, the use of zero-day vulnerabilities to target edge infrastructure is not unprecedented. The group’s approach is characteristic of espionage efforts, as they focus on residing at the network perimeter, exploiting zero-days, commandeering devices, and remaining undetected. Cybersecurity experts strongly advise the immediate application of available security patches to counteract such threats.

You can follow us on Youtube, Telegram, Facebook, Linkedin, Twitter ( X ), Mastodon and Bluesky

You Might Also Like

Experts Warn Trump Bill Hits Healthcare Cybersecurity Funding

Oligo Security Introduces Application Attack Matrix to Map App Layer Threats

Call of Duty Pulls PC Game After Hackers Seize Players’ Computers

Scattered Spider Tactics Pressure Companies With Rapid Social Attacks

Congress Directs Major Funding to Military Cybersecurity Initiatives

Share This Article
By NEWSLINKER
NEWS LINKER is your premier source for the latest in business, finance, science, gaming, and technology. We are dedicated to bringing you the most accurate, timely, and engaging content from across these dynamic industries. Dive deep into the world of cutting-edge developments, breakthroughs, market trends, and game-changing innovations..
Previous Article Introducing Samsung’s Galaxy S24 Ultra: A Cinematic Showcase with Emma Myers
Next Article Samsung Enhances One UI Home with Latest Update

Stay Connected

Latest News

Wordle Players Solve Tricky Puzzle as “JUMPY” Stumps Many
Gaming
Amazon Offers Samsung Galaxy Watch 7 at Record Low Price
Wearables
Tesla Drives Supply Chain Upgrades with Expanded Semi Integration
Electric Vehicle
OpenAI Expands AI Education Partnerships and Sets New Guidelines
AI Technology
Tesla Semi Powers thyssenkrupp’s Logistics Trial in California
Electric Vehicle