VPNocalypse: China-Linked Hackers Exploit Double Ivanti Flaws to Compromise Under 10 Firms

Suspected Chinese hackers have a new trick up their sleeve: exploiting not one, but two Ivanti flaws for a cyber-espionage party. Less than 10 RSVP’d, but the damage? Priceless. Patch your Ivanti before it’s gatecrashed! #CyberSecurityChaos

Hot Take:

Just when you thought your trusty VPN was the cloak of invisibility in the cyber realm, it turns out it’s more like a neon “hack me” sign. Behold the latest cyber-spectacle: a dynamic duo of zero-day flaws in Ivanti products, exploited by China’s digital ninjas. Less than 10 customers got a VIP pass to this unwanted hackathon, but it’s a stark reminder that even the mightiest digital fortresses have backdoors… and sometimes, they’re wide open.

Key Points:

  • A couple of zero-day vulnerabilities in Ivanti Connect Secure and Policy Secure have been exploited, likely by a group with a made-for-Hollywood codename UTA0178.
  • The cyber perps could bypass authentication and inject commands like they owned the place, exploiting the flaws as early as December 3, 2023.
  • Ivanti is playing whack-a-mole, releasing patches in a staggered fashion while recommending a workaround to stop attackers from crashing the party.
  • The attackers didn’t stop at getting in; they altered files to siphon off credentials and data, and even set up a cozy web shell for persistent access.
  • The U.S. CISA has echoed the “patch it yesterday” sentiment by adding the flaws to its “Known Exploited Vulnerabilities” list.

Need to know more?

The Great Firewall Heist

A sordid cyber tale unfolded in December 2023 when Volexity spotted some digital prowlers in the network of one of its clients. The nefarious activity was attributed to a group with an enigmatic label UTA0178, suspected of ties to Chinese nation-state interests. With the finesse of a cat burglar, they leveraged two zero-day flaws to gain unauthenticated command execution on Ivanti gear, potentially as early as December 3, 2023.

A Double Whammy of Doom

The dynamic duo of vulnerabilities, CVE-2023-46805 and CVE-2024-21887, served as a master key for attackers to access restricted resources and execute arbitrary commands. It's like finding out that your high-security digital vault had a secret entrance that the bad guys knew all about. Ivanti, caught in a cyber game of catch-up, warned users about these digital trapdoors while working on patches.

Band-Aid Solutions Before Surgery

With patches still in the digital oven, Ivanti has been handing out workaround Band-Aids to users. It's like telling folks to duct tape their doors shut while you're still figuring out how to fix the lock. Meanwhile, the attackers have been having a field day, stealing data, modifying files, and even setting up a digital base camp with a custom web shell named GLASSTOKEN for a prolonged stay. The audacity!

Spy Games and Keystroke Collecting

The attackers, not satisfied with mere entry, decided to go full James Bond villain. They modified a legit CGI file to allow command execution and tweaked a JavaScript file used during login to harvest user credentials. It's the cybersecurity equivalent of someone picking your pocket while giving you a friendly hug.

Big Brother's Cyber Watchlist

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the exploits to their "Most Wanted" list of known exploited vulnerabilities. It's like the FBI's Ten Most Wanted, but for code. CISA's alert is a digital APB to federal agencies: fix these flaws before the digital bandits strike again by January 31, 2024.

And so, the stage is set for a cyber showdown. Ivanti is patching up the holes, users are scrambling to secure their systems, and somewhere in the vast expanse of the internet, UTA0178 is probably looking for their next digital heist. Stay safe out there, netizens, and remember: in the wild west of the web, even the saloon's back door needs a good lock.

Tags: CVE-2023-46805, CVE-2024-21887, GLASSTOKEN web shell, Ivanti Connect Secure, nation-state hacking, VPN security flaws, zero-day vulnerabilities