Ivanti bugs are still being targeted by Chinese hackers, Google warns

A person at a laptop with a cybersecure lock symbol floating above it.
(Image credit: Shutterstock / laymanzoom)

Hackers are still abusing multiple vulnerabilities in Ivanti products, which were discovered and patched early this year. 

Among them is Volt Typhoon, an infamous Chinese-backed hacking collective, warned cybersecurity researchers from Google-owned Mandiant, reporting “multiple clusters of activity” surrounding CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. 

These three flaws, affecting Ivanti Connect Secure and Ivanti Policy Secure gateways, were discovered early this year, after Ivanti warned of multiple hacking groups abusing them to take over vulnerable devices.

Dropping malware and cryptominers

Soon after, the US Cybersecurity and Infrastructure Security Agency (CISA) warned government agencies to patch the flaws immediately, as they were being used en-masse, mostly by Chinese-sponsored actors. 

The sharp increase in attacks started on or after January 11, with government agencies, small and medium-sized businesses (SMB), and enterprises, all falling victim. While the hackers did not choose any particular industry, the majority of the victims were in aerospace, banking, defense, and government.

Mandiant said that it started tracking Volt Typhoon in February 2024, as it engaged in multiple campaigns against the energy and defense sectors in the U.S. Besides this hacking collective, the researchers said that four other groups were active, as well: UNC5221, UNC5266, UNC5330, and UNC5337.

“In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining,” Mandiant said. 

Luckily enough, Mandiant says there is no evidence Volt Typhoon successfully breached anyone’s Connect Secure instances.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” they said. “Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure.”

In places where the attackers had been successful, they would mostly deploy TERRIBLETEA, PHANTOMNET, TONERJAM, SPAWNSNAIL, and SPAWNMOLE malware variants. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS