Ivanti VPN security flaws are being attacked again by Chinese hackers

A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
(Image credit: Shutterstock / Thapana_Studio)

The recently discovered Ivanti VPN security flaws are still being abused, researchers have claimed - with Chinese hackers now taking advantage of the vulnerabilities to deploy all kinds of malware.

Cybersecurity researchers from Google-owned Mandiant have claimed the Chinese group UNC5325 is using a combination of living-off-the-land techniques to prevent being detected on the devices, as it drops novel malware

This malware, the researchers argue, can survive factory resets, system upgrades, and patches. 

Unsupported OS and other woes

In order to achieve it, the Chinese hackers gained a “nuanced understanding” and “significant knowledge” of the Ivanti Connect Secure appliance. Users should “immediately take action to ensure protection if they haven't done so already,” Mandiant says, pointing the users to the direction of Ivanti’s latest security advisory

Furthermore, users should use Ivanti’s new external integrity checker, as well as Mandiant’s updated Hardening Guide.

The researchers also said that there is a possibility of a second threat actor, tracked as UNC3886, also jumping on the bandwagon. While some reports put this threat actor under the command of the Chinese government, others argue that UNC5325 and UNC3886 are the same entity. 

In early January 2024, Ivanti reported discovering and patching a critical remote code execution (RCE) vulnerability in one of its products, which could have allowed threat actors to drop all kinds of malware. Soon after, all hell broke loose for Ivanti, as it later discovered a handful of additional vulnerabilities, which were getting exploited on a massive scale, by threat actors from all over the world. 

Subsequent investigation uncovered that Ivanti used the CentOS 6.4. operating system for its products, which was unsupported for years at that point: 

"Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020," security analysts from Eclypsium said in a report analyzing firmware version 9.1.18.2-24467.1.

In early February, the US government told its agencies using Ivanti Connect Secure and Ivanti Policy Secure to disconnect these solutions immediately and not turn them back on until they’re absolutely certain they’ve been properly patched, and their networks disinfected from possible hacker incursions.

The patches Ivanti released are effective, but only if they were applied before any incursions. If a threat actor established persistence on an endpoint beforehand, applying the fix will not help.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.