Chinese Hackers Target Ivanti: Critical Vulnerabilities Exposed

The Cybersecurity and Infrastructure Security Agency (CISA) along with several leading global organizations have issued a new warning about critical vulnerabilities in the products of IT giant Ivanti. According to experts, these issues, identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, are widely utilized by governmental structures worldwide.

A report published by the research firm Mandiant, owned by Google, reveals that multiple Chinese hacker groups, including Volt Typhoon, are actively exploiting these vulnerabilities. Additionally, hackers with financial motives have joined the attacks, a departure from previously reported cyber espionage campaigns.

Mandiant researchers have been tracking the activities of a group likely associated with the Volt Typhoon since February 2024. This group also intersects with TAG-87 and BRONZE SILHOUETTE, focusing their efforts on the energy and defense sectors in the United States.

APT41 hacker

Beyond the Volt Typhoon, four other Chinese bands exploiting these bugs were discovered after Ivanti made them public on January 10, 2024.

Financially motivated cybercriminals primarily use CVE-2023-46805 and CVE-2024-21887 for operations such as covert cryptocurrency mining. Only one group, known as UNC5221, exploited CVE-2023-46805 and CVE-2024-21887 before their disclosure.

Mandiant noted no instances where the Volt Typhoon successfully compromised Ivanti Connect Secure solutions. This group’s activity commenced in December 2023 with attacks on Citrix Netscaler ADC before shifting their focus to Ivanti devices.

Other hackers, upon successful breach, deployed various malicious programs, including the TERRIBLETEA, PHANTOMNET, TONERJAM, SPAWNSNAIL, and SPAWNMOLE families. Often, to penetrate deeper into internal systems, they resorted to tools from Microsoft and VMware.

Patches for all three vulnerabilities are now available. The Mandiant report was published a day after Ivanti’s CEO promised a series of changes in response to a string of high-profile incidents affecting governmental organizations worldwide.