State-sponsored hackers are exploiting two zero-day vulnerabilities in a corporate VPN from a company that serves over 40,000 customers. The previously unknown vulnerabilities are severe, and can let an unauthenticated attacker execute commands on Ivanti’s Connect Secure VPN appliance, which is also known as Pulse Secure. On Wednesday, the company published an alert about the threat, a month after security firm Volexity discovered suspected state-sponsored hackers breaking into a client’s network through their Connect Secure VPN appliance. Initially, Volexity’s investigators found that the VPN’s traffic logs had been wiped and logging disabled. But through further evidence, Volexity uncovered that the state-sponsored hackers had chained together a pair of zero-day vulnerabilities to hijack the VPN appliance.
This Tweet is currently unavailable. It might be loading or has been removed.
“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” Volexity said. “In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”The threat is particularly alarming since companies often use corporate VPNs as a way to let employees remotely log in into an internal network. Volexity added that the state-sponsored hackers were also spotted abusing their access to “keylog and exfiltrate credentials for users logging into” the VPN. “The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network,” the security firm added. Volexity also says it suspects the state-sponsored hackers came from China, citing the internet domains used during the group’s infiltration.
Recommended by Our Editors
In response, Ivanti published a mitigation that can help ward off the threat. But the company is still working on an official patch, which won’t begin arriving until the week of Jan. 22. Volexity adds that the current mitigation “does not remedy a past or ongoing compromise.” Hence, Ivanti is urging customers to check for signs if their VPN appliance has already been compromised using the company’s “Integrity Checker Tool.” The company currently says: “We are aware of less than 10 customers impacted by the vulnerabilities.” But security researchers note that thousands of Ivanti Secure Connect appliances appear to be active on the internet.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
