Global Security Alert: Over 1,700 VPN Devices Hacked with GIFFEDVISITOR Web Shell

Earlier this month, we discussed the zero-day vulnerabilities in Ivanti products. A recent analysis by Mandiant revealed that attackers employed five distinct malware families in their assaults, including Zipline, Thinspool Dropper, Wirefire, Lightwire, and Warpwire Harvester.

According to the latest findings from Volexity experts, over 1,700 compromised Connect Secure VPN devices were detected on January 14th of this year, infected with the GIFFEDVISITOR web shell. The list of victims encompasses state and private entities worldwide, including military institutions, national telecommunications companies, defense contractors, technology firms, banks, financial and accounting organizations, global consulting companies, and firms within the aerospace, aviation, and engineering sectors.

The Shadowserver threat monitoring service tracks more than 16,800 Connect Secure VPN devices accessible from the internet globally. The majority of these devices, approximately 5,000, are located in the USA, underscoring the undeniably global nature of this threat.

It has been confirmed that attackers can execute arbitrary commands on all supported versions of VPN Connect Secure and Policy Secure devices, effectively combining two previously identified vulnerabilities, CVE-2023-46805 and CVE-2024-21887. Meanwhile, in addition to the previously suspected Chinese state-sponsored hackers (UTA0178 or UNC5221), numerous new groups have joined in the active exploitation of these vulnerabilities.

Ivanti has yet to release the necessary fixes, suggesting that the problem may be more profound than initially perceived. Administrators are strongly advised to implement mitigation measures provided by the company for all VPN devices in the network and to use the Ivanti Integrity Checker tool to detect signs of hacking.

In July last year, two other Ivanti zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) were exploited to breach several Norwegian government organizations, and a month later, hackers began exploiting a third vulnerability (CVE-2023-38035) in Ivanti Sentry software to circumvent API authentication.