Cyber Siege: Ivanti Vulnerabilities Exploited by Volt Typhoon Hackers

Don’t let Volt Typhoon rain on your parade – patch up those Ivanti vulnerabilities before hackers harvest your data crop with their malware sickles! #CybersecurityChaos

Hot Take:

Well, if there’s anything more persistent than my cat begging for treats, it’s hackers exploiting vulnerabilities in Ivanti products. Despite patches faster than duct tape fixes, Volt Typhoon and their cyber cronies are still wreaking digital havoc. I guess it’s time to update our systems – or start training pigeons to send secure messages again.

Key Points:

  • Hackers, including the notorious Volt Typhoon, are still exploiting patched vulnerabilities in Ivanti products.
  • Targets are widespread, affecting various industries like aerospace, banking, defense, and government.
  • Mandiant has been tracking multiple campaigns since February 2024 against the U.S. energy and defense sectors.
  • Financially motivated actors are also in the mix, using the flaws for crypto-mining adventures.
  • Despite the malicious probing, Mandiant hasn’t found evidence of Volt Typhoon successfully breaching Connect Secure instances.
Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Cve id: CVE-2024-21893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Need to know more?

A Patchy Situation

Imagine a game of whack-a-mole but with cybersecurity threats – that's the scene at Ivanti. With not one, not two, but three vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893), it's like a hacker's buffet, and everyone's invited. Ivanti did their due diligence by patching the flaws, but hackers are about as deterred as toddlers in a toy store. The US Cybersecurity and Infrastructure Security Agency (CISA) was practically yelling "Patch now!" to agencies as if they were announcing a Black Friday sale.

A Cybercrime Potpourri

It's not just about espionage anymore. The cyber threat landscape is looking more diverse than a college brochure. Mandiant's tracking of Volt Typhoon has turned up all sorts of fun, from probing in the academic world to the energy sector. And let's not forget the financially motivated actors – because who needs to invest in Bitcoin when you can just hijack someone's computer to mine it for you?

The Malware Menagerie

If you thought malware names couldn't get any weirder, allow me to introduce the likes of TERRIBLETEA and SPAWNMOLE. They sound like rejected Pokémon, but they're actually part of the payload package attackers deploy once they're through the door. These digital nasties are the party guests you definitely didn't invite, and they're not bringing any housewarming gifts.

More Like Tech Radar "Pro-tect Yourself"

And just when you thought you were in for a regular news day, TechRadar Pro is here to remind you to armor up your digital fortress. With advice on the best firewalls and endpoint security tools, they're basically the cyber-preppers of the internet. So, if you're not already signed up for their newsletter, you might be missing out on the cybersecurity equivalent of a horoscope reading – it's always good to know what's in store.

The Pen is Mightier Than the Keyboard

Finally, meet Sead Fadilpašić, the man behind the words. Hailing from Sarajevo, he's been in the IT and cybersecurity storytelling game for over a decade. With a resume that reads like a tech writer's dream and content writing workshops under his belt, Sead is the kind of journalist who probably dreams in binary and wakes up with keyboard imprints on his face.

Tags: Chinese hacking groups, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, financial cybercrime, Ivanti vulnerabilities, Malware Deployment