The New OilHow #PrivateEquity #Debt Left a Leading #VPN Open to Chinese Hackers
Loki the CatNothing says secure like a private equity “cost-cut” diet. In early 2024, CISA ordered agencies to disconnect Ivanti Connect Secure after Chinese spies hacked it and hit nearly two dozen orgs—then CISA found two of its own databases compromised and the fix failed. So… who’s guarding the network, the bean counters? 😼
How Private Equity Debt Left a Leading VPN Open To Chinese Hackers - Slashdot
An anonymous reader quotes a report from Bloomberg: In early 2024, the agency that oversees cybersecurity for much of the US government issued a rare emergency order -- disconnect your Connect Secure virtual private network software immediately. Chinese spies had hacked the code and infiltrated near...
Cedric🚨 April 2025 Vulnerability Report is out! 🚨
👉 https://www.vulnerability-lookup.org/2025/05/01/vulnerability-report-april-2025/
The most prominent vulnerabilities affect the following products:
- #Ivanti / #ConnectSecure
- #Erlang / OTP
- #SAP / SAP NetWeaver
The Continuous Exploitation section highlights several resurgent vulnerabilities (recently exploited at a high rate).
💻 NISDUC Conference
#VulnerabilityLookup will be presented during the fourth #NISDUC conference.
Rene RobichaudPoC Exploit Released for Ivanti Connect Secure RCE Vulnerability
https://gbhackers.com/poc-ivanti-connect-secure-rce-vulnerability/
#Infosec #Security #Cybersecurity #CeptBiro #PoCExploit #Ivanti #ConnectSecure #RCE #Vulnerability
PoC Exploit Released for Ivanti Connect Secure RCE Vulnerability
A serious security flaw has been identified in Ivanti Connect Secure, designated as CVE-2025-0282, which enables remote unauthenticated attackers to execute arbitrary code.
Not SimonMITRE disclosed that one of their research and development networks was compromised by a foreign nation-state threat actor in January 2024 using Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887. Networked Experimentation, Research, and Virtualization Environment (NERVE) is a collaborative network used for research, development, and prototyping. MITRE included a timeline, observed TTP methods (mapped out to MITRE ATT&CK techniques cc: @howelloneill) and their incident response actions. No IOC provided. 🔗 https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks and https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8 h/t @reverseics
#MITRE #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #threatintel #cyberespionage
I buried the lede in not mentioning that UNC5291 is assessed with medium confidence to be associated with Volt Typhoon, a Chinese state-sponsored Advanced Persistent Threat (APT). See related The Record reporting: Volt Typhoon and 4 other groups targeting US energy and defense sectors through Ivanti bugs
#Ivanti #ConnectSecure #vulnerability #cyberespionage #China #activeexploitation #eitw #zeroday #KEV #CISA #CVE_2023_46805 #CVE_2024_21887 #CVE_2024_21893 #UNC5221 #UNC5266 #UNC5330 #UNC5337 #UNC5291
Mandiant releases part 4 of the Ivanti Connect Secure incident response investigation. They detail different types of post-exploitation activity across their IR engagements. Chinese threat actors have a growing knowledge of Ivanti Connect Secure in abusing appliance-specific functionality to perform actions on objective. They highlight FIVE Chinese threat actors: UNC5221, UNC5266, UNC5330, UNC5337, and UNC5291 abusing a mix of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. New TTPs, new malware families and new IOC: 🔗 https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
EDIT: For your situational awareness, it's my understanding that future Mandiant articles will be located at https://cloud.google.com/blog/topics/threat-intelligence/
#Ivanti #ConnectSecure #vulnerability #cyberespionage #China #activeexploitation #eitw #zeroday #KEV #CISA #CVE_2023_46805 #CVE_2024_21887 #CVE_2024_21893 #UNC5221 #UNC5266 #UNC5330 #UNC5337 #UNC5291
I want to get off Mr. Ivanti's wild ride: security advisory for Ivanti Connect Secure and Ivanti Policy Secure: 🔗 https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways and blog post: https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure
- CVE-2024-21894 (8.2 high) heap overflow leads to Denial of Service (DoS), and sometimes arbitrary code execution
- CVE-2024-22052 (7.5 high) null pointer dereference causes DoS
- CVE-2024-22053 (8.2 high) heap overflow leads to DoS or information disclosure
- CVE-2024-22023 (5.3 medium) XML entity expansion (XEE) causes a limited-time DoS
We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.
#Ivanti #ConnectSecure #PolicySecure #vulnerability #CVE_2024_21894 #CVE_2024_22052 #CVE_2024_22053 #CVE_2024_22023
Tyson, Chicken Rancher 🐓Soooo ... that integrity checker tool that Ivanti wants customers to use to detect compromise? It doesn't scan more than a dozen directories including /data, /etc, /tmp, and /var. As a test of what was possible, @n0x08 installed the Sliver C2 tool in /data and ran the integrity checker tool and it passed. Patched Ivanti VPNs could very well still be compromised even if the integrity checker tool gave them an all-clear.
We also found numerous extremely old software packages, including a Linux kernel that was EOL in 2020 (CentOS 6.4). Yikes!
Matt WillemsenAll federal civilian agencies ordered to disconnect at-risk Ivanti products by Friday
https://therecord.media/federal-civilian-agencies-ordered-to-disconnect-at-risk-ivanti-products-cisa #Ivanti #risk #ConnectSecure #PolicySecure #CISA #vulnerabilities
https://therecord.media/federal-civilian-agencies-ordered-to-disconnect-at-risk-ivanti-products-cisa #Ivanti #risk #ConnectSecure #PolicySecure #CISA #vulnerabilities
