Rene RobichaudJan 10, 2025

China's UNC5337 Exploits a Critical Ivanti RCE Bug, Again
https://www.darkreading.com/vulnerabilities-threats/china-unc5337-critical-ivanti-rce-bug

#Infosec #Security #Cybersecurity #CeptBiro #China #UNC5337 #Exploits #Ivanti #RCEBug

China's UNC5337 Exploits a Critical Ivanti RCE Bug, Again

New year, same story. Despite Ivanti's commitment to secure-by-design principles, Chinese threat actors are exploiting its edge devices for the nth time.

The Threat CodexJan 9, 2025
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
#CVE_2025_0282 #CVE_2025_0283 #UNC5337 #UNC5221 #PHASEJAM #SPAWNMOLE
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog

Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024.

Google Cloud Blog
Show threadNot SimonApr 4, 2024

I buried the lede in not mentioning that UNC5291 is assessed with medium confidence to be associated with Volt Typhoon, a Chinese state-sponsored Advanced Persistent Threat (APT).  See related The Record reporting: Volt Typhoon and 4 other groups targeting US energy and defense sectors through Ivanti bugs

#Ivanti #ConnectSecure #vulnerability #cyberespionage #China #activeexploitation #eitw #zeroday #KEV #CISA #CVE_2023_46805 #CVE_2024_21887 #CVE_2024_21893 #UNC5221 #UNC5266 #UNC5330 #UNC5337 #UNC5291

Volt Typhoon and 4 other groups targeting US energy and defense sectors through Ivanti bugs

Several China-based hacking groups, including Volt Typhoon, are targeting a trio of vulnerabilities affecting IT giant Ivanti alongside multiple cybercriminal operations.

Not SimonApr 4, 2024

Mandiant releases part 4 of the Ivanti Connect Secure incident response investigation. They detail different types of post-exploitation activity across their IR engagements. Chinese threat actors have a growing knowledge of Ivanti Connect Secure in abusing appliance-specific functionality to perform actions on objective. They highlight FIVE Chinese threat actors: UNC5221, UNC5266, UNC5330, UNC5337, and UNC5291 abusing a mix of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. New TTPs, new malware families and new IOC: πŸ”— https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

EDIT: For your situational awareness, it's my understanding that future Mandiant articles will be located at https://cloud.google.com/blog/topics/threat-intelligence/

#Ivanti #ConnectSecure #vulnerability #cyberespionage #China #activeexploitation #eitw #zeroday #KEV #CISA #CVE_2023_46805 #CVE_2024_21887 #CVE_2024_21893 #UNC5221 #UNC5266 #UNC5330 #UNC5337 #UNC5291

Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies | Google Cloud Blog

We have conducted multiple incident response engagements across a range of industry verticals and geographic regions.

Google Cloud Blog