<img src=”https://sm.pcmag.com/pcmag_au/news/s/state-spon/state-sponsored-hackers-exploit-zero-day-flaws-in-ivanti-vpn_3pcj.jpg” />
State-sponsored hackers are exploiting two zero-day vulnerabilities in a corporate VPN from a company that serves over 40,000 customers.
The previously unknown vulnerabilities are severe, and can let an unauthenticated attacker execute commands on Ivanti’s Connect Secure vpn appliance, which is also known as Pulse Secure. On Wednesday, the company published an alert about the threat, a month after security firm Volexity discovered suspected state-sponsored hackers breaking into a client’s network through their Connect Secure VPN appliance.
Initially, Volexity’s investigators found that the VPN’s traffic logs had been wiped and logging disabled. But through further evidence, Volexity uncovered that the state-sponsored hackers had chained together a pair of zero-day vulnerabilities to hijack the VPN appliance.
“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” Volexity said. “In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”
The threat is particularly alarming since companies often use corporate VPNs as a way to let employees remotely log in into an internal network. Volexity added that the state-sponsored hackers were also spotted abusing their access to “keylog and exfiltrate credentials for users logging into” the VPN.
“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network,” the security firm added. Volexity also says it suspects the state-sponsored hackers came from China, citing the internet domains used during the group’s infiltration.
In response, Ivanti published a mitigation that can help ward off the threat. But the company is still working on an official patch, which won’t begin arriving until the week of Jan. 22. Volexity adds that the current mitigation “does not remedy a past or ongoing compromise.”
Hence, Ivanti is urging customers to check for signs if their VPN appliance has already been compromised using the company’s “Integrity Checker Tool.” The company currently says: “We are aware of less than 10 customers impacted by the vulnerabilities.” But security researchers note that thousands of Ivanti Secure Connect appliances appear to be active on the internet.