The recently discovered Ivanti VPN security flaws are still being abused, researchers have claimed – with Chinese hackers now taking advantage of the vulnerabilities to deploy all kinds of malware.
Cybersecurity researchers from Google-owned Mandiant have claimed the Chinese group UNC5325 is using a combination of living-off-the-land techniques to prevent being detected on the devices, as it drops novel malware.
This malware, the researchers argue, can survive factory resets, system upgrades, and patches.
In order to achieve it, the Chinese hackers gained a “nuanced understanding” and “significant knowledge” of the Ivanti Connect Secure appliance. Users should “immediately take action to ensure protection if they haven’t done so already,” Mandiant says, pointing the users to the direction of Ivanti’s latest security advisory.
Furthermore, users should use Ivanti’s new external integrity checker, as well as Mandiant’s updated Hardening Guide.
The researchers also said that there is a possibility of a second threat actor, tracked as UNC3886, also jumping on the bandwagon. While some reports put this threat actor under the command of the Chinese government, others argue that UNC5325 and UNC3886 are the same entity.
In early January 2024, Ivanti reported discovering and patching a critical remote code execution (RCE) vulnerability in one of its products, which could have allowed threat actors to drop all kinds of malware. Soon after, all hell broke loose for Ivanti, as it later discovered a handful of additional vulnerabilities, which were getting exploited on a massive scale, by threat actors from all over the world.
Subsequent investigation uncovered that Ivanti used the CentOS 6.4. operating system for its products, which was unsupported for years at that point:
“Pulse Secure runs an 11-year-old version of Linux which hasn’t been supported since November 2020,” security analysts from Eclypsium said in a report analyzing firmware version 9.1.18.2-24467.1.
In early February, the US government told its agencies using Ivanti Connect Secure and Ivanti Policy Secure to disconnect these solutions immediately and not turn them back on until they’re absolutely certain they’ve been properly patched, and their networks disinfected from possible hacker incursions.
The patches Ivanti released are effective, but only if they were applied before any incursions. If a threat actor established persistence on an endpoint beforehand, applying the fix will not help.
https://www.techradar.com/rss
Sead Fadilpašić
https://www.youtube.com/watch?v=nynaX6oyFEY
/ After pledging to slash its greenhouse gas emissions, Microsoft’s climate pollution has grown by…
A bipartisan group of US Senators released a sweeping plan for how Congress should fund…
A MUM has claimed that she woke up screaming during a botched plastic surgery op…
Show more (1 item) Apple announced its first new tablets since 2022 recently, including two new iPad…