Ivanti’s widely used Connect Secure VPNs saw mass exploitation by threat actors following the January disclosure of two high-severity, zero-day vulnerabilities in the systems. Researchers said thousands of Ivanti VPN devices were compromised during the attacks, with the list of victims including the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Other victims included Mitre, a major provider of federally funded R&D and the promulgator of a cyberattack framework that’s become ubiquitous in the security industry.
While several additional vulnerabilities ultimately were disclosed, researchers at Google Cloud-owned Mandiant reported that the two original Ivanti VPN vulnerabilities saw “broad exploitation activity” by a China-linked threat group tracked as UNC5221, as well as “other uncategorized threat groups.” The attacks by UNC5221 — a “suspected China-nexus espionage threat actor” — went back as far as Dec. 3, the researchers at Mandiant said.
The attacks prompted CISA to issue an urgent order to civilian executive branch agencies, requiring the unusual measure of disconnecting their Ivanti Connect Secure VPNs within 48 hours. Ivanti released the first patch for some versions of its Connect Secure VPN software on Jan. 31, three weeks after the initial vulnerability disclosure. “In this case, we prioritized mitigation releases as patches were being developed, consistent with industry best practices,” Ivanti said in a statement provided to CRN.