Cybersecurity

APT Group Exploits Newly Discovered Zero-Day in Ivanti VPNs

Highlights

  • Hackers target Ivanti VPN with zero-day exploits.
  • APT exploits involve command injection, auth bypass.
  • Mandiant advises immediate application of patches.
NEWSLINKER
NEWSLINKER

A newly found vulnerability in Ivanti Connect Secure VPNs has been actively exploited by an APT hacker group, identified by Google’s Mandiant cybersecurity team. These flaws are especially problematic because they are zero-days, which means the software vendor is unaware of them at the time of exploitation, rendering immediate patches unfeasible.

Contents
Escalation of VPN ExploitsIdentified Zero-Day ExploitsMandiant’s Assessment and Recommendations

Escalation of VPN Exploits

Such vulnerabilities are increasingly attractive to cybercriminals as more people depend on VPNs for secure online communication. The APT group’s exploitation activities include command injection and authentication bypass, which could lead to total network control.

Identified Zero-Day Exploits

The specific vulnerabilities identified by Ivanti’s security team include CVE-2023-46805, which allows for authentication bypass, and CVE-2024-21887, which permits command injection. The exploitation began in December 2023, and Ivanti has been working closely with Mandiant to address these issues and provide security measures.

Post-exploitation, the attackers deployed custom malware and tools such as PySoxy and BusyBox. They also used a Perl script and a shell script dropper called THINSPOOL to maintain persistence and evade detection. This script allowed them to remount read-only sections of the system and insert the LIGHTWIRE web shell into a legitimate Connect Secure file.

LIGHTWIRE, along with another tool called WIREFIRE, provides the attackers with a persistent and lightweight foothold within the compromised VPN appliances, underscoring their intent for sustained access and espionage.

Mandiant’s Assessment and Recommendations

Although Mandiant’s analysts could not ascertain the origin of the threat actors due to limited data, the use of zero-day vulnerabilities to target edge infrastructure is not unprecedented. The group’s approach is characteristic of espionage efforts, as they focus on residing at the network perimeter, exploiting zero-days, commandeering devices, and remaining undetected. Cybersecurity experts strongly advise the immediate application of available security patches to counteract such threats.

You can follow us on Youtube, Telegram, Facebook, Linkedin, Twitter ( X ), Mastodon and Bluesky

You Might Also Like

Cyberattack Hits United Natural Foods, Causes $400 Million Sales Loss

US Prosecutes Ryuk Ransomware Suspect after High-Profile Extradition

UNC6148 Targets Patched SonicWall SMA 100 Devices in Ongoing Attacks

Senators Question DHS Over Database Use in Voter Citizenship Checks

Army Veteran Admits to Telecom Hack and Extortion Plot

Share This Article
By NEWSLINKER
NEWS LINKER is your premier source for the latest in business, finance, science, gaming, and technology. We are dedicated to bringing you the most accurate, timely, and engaging content from across these dynamic industries. Dive deep into the world of cutting-edge developments, breakthroughs, market trends, and game-changing innovations..
Previous Article Introducing Samsung’s Galaxy S24 Ultra: A Cinematic Showcase with Emma Myers
Next Article Samsung Enhances One UI Home with Latest Update

Stay Connected

Latest News

Brightpick’s Giraffe Robot Targets Efficiency Gains in Warehouses
AI Robotics
Waymo Hits 100 Million Autonomous Miles as Cities Join Driverless Shift
Robotics
AI Labs Weigh Safety Against Speed in Pursuit of AGI
AI
Tesla Prepares to Open 50s-Style Supercharger Diner in Los Angeles
Electric Vehicle
Google Prepares Pixel Watch 4 Launch with Enhanced Features
Wearables