Cybercriminals are mass-exploiting two key zero-day vulnerabilities in Ivanti’s popular corporate VPN device.
Volexity claimed last week that China-backed hackers are using Ivanti Connect Secure’s two unpatched holes, CVE-2023-46805 and CVE-2024-21887, to breach client networks and steal data. Ivanti claimed it knew of “less than 10 customers” impacted by the “zero-day” defects, which it had no time to remedy before they were exploited.
Volexity reported rampant exploitation on Monday in an updated blog post. 
Volexity reports that approximately 1,700 pieces of Ivanti Connect Secure equipment have been abused, impacting aerospace, banking, military, government, and telecommunications companies.
Volexity said that victims range from tiny enterprises to Fortune 500 firms across numerous industrial sectors. Ivanti VPN equipment was “indiscriminately targeted,” with business victims worldwide, according to the security company.
But Volexity believes the number of compromised organizations is far larger. Shadowserver Foundation, a nonprofit security threat tracker, reports over 17,000 internet-visible Ivanti VPN devices globally, including over 5,000 in the US.
On Tuesday, Ivanti amended its alert to say that its results are “consistent” with Volexity’s fresh discoveries and that the mass hacks began on January 11, a day after Ivanti published the vulnerabilities. Ivanti informed Eltrysit that it has “seen a sharp increase in threat actor activity and security researcher scans” via MikeWorldWide PR.
Volexity representative Kristel Faris told Eltrys Tuesday that Ivanti is “responding to an increase in support requests as quickly as possible.”
Despite widespread exploitation, Ivanti has not released fixes. Ivanti aims to deploy patches “staggered” beginning January 22. Admins should install Ivanti mitigation procedures on any impacted VPN equipment on their network. Admins should change passwords, API keys, and certificates on vulnerable appliances, according to Ivanti.
No ransomware. However, Volexity first linked the two Ivanti zero-days to UTA0178, a China-backed hacker outfit. Volexity reported exploitation on December 3.
Mandiant, which is also tracking Ivanti vulnerability exploitation, said its findings, combined with Volexity’s, suggest “an espionage-motivated APT campaign,” suggesting government-backed involvement.
Volexity told Eltrys this week that it has observed more hacker organizations, especially UTA0188, use the holes to attack susceptible devices, but it would not provide any specifics.
Volexity informed Eltrys that it had not found ransomware in large intrusions. “However, we fully anticipate that happening if the proof-of-concept code becomes public,” said Faris.
Security researchers have found proof-of-concept code that exploits Ivanti zero-days.
