Chinese threat actors [2] [5] [6] [7] [8] [9], such as UNC5291 (Volt Typhoon), UNC5221 [1] [2] [3] [4] [5] [6] [7] [8], UNC5266 [1] [2] [8], UNC5330 [1] [2] [5] [8] [9], UNC5337 [1] [2] [5] [8] [9], and UNC3886 [8], have been exploiting vulnerabilities in Ivanti products, impacting Ivanti Connect Secure and Ivanti Policy Secure gateways [2] [4] [6].
Description
Chinese threat actors [2] [5] [6] [7] [8] [9], including UNC5291 (Volt Typhoon) [1] [3] [8], UNC5221 [1] [2] [3] [4] [5] [6] [7] [8], UNC5266 [1] [2] [8], UNC5330 [1] [2] [5] [8] [9], UNC5337 [1] [2] [5] [8] [9], and UNC3886 [8], have been exploiting vulnerabilities CVE-2023-46805 [5] [7] [8], CVE-2024-21887 [1] [2] [4] [5] [6] [7] [8] [9], and CVE-2024-21893 in Ivanti products. These vulnerabilities have been used for crypto-mining operations, lateral movement [1] [9], and custom malware deployment on vulnerable Ivanti appliances [1]. Ivanti has released patches and an enhanced external integrity checker tool (ICT) to defend against these threats. Various tactics, techniques, and procedures (TTPs) and malware families, such as TONERJAM, PHANTOMNET [2] [4] [8], and SPAWN [2] [3] [4] [8], have been observed in these attacks. The US CISA has warned of mass attacks by Chinese-sponsored actors [2], impacting government agencies [2], SMBs [2], and enterprises [2], particularly in aerospace [2], banking [2], defense [1] [2] [4] [5] [6] [7], and government sectors [2].
Conclusion
Organizations are advised to apply Ivanti’s patches and use the ICT tool to protect against multiple threat actor clusters. The use of new malware families and tactics by Chinese threat actors highlights the need for enhanced cybersecurity measures. The ongoing exploitation of vulnerabilities by multiple threat groups underscores the importance of proactive defense strategies and continuous monitoring to mitigate risks and protect sensitive data.
References
[1] https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
[2] https://www.techradar.com/pro/security/ivanti-bugs-are-still-being-targeted-by-chinese-hackers-google-warns
[3] https://duo.com/decipher/ivanti-patches-new-flaws-as-exploits-continue-against-older-ones
[4] https://thecyberpost.com/news/volt-typhoon-and-4-other-groups-targeting-us-energy-and-defense-sectors-through-ivanti-bugs/
[5] https://cybersocialhub.com/csh/researchers-identify-multiple-china-hacker-groups-exploiting-ivanti-security-flaws/
[6] https://thereviewhive.blog/chinese-actors-exploit-ivanti-vulnerabilities-mandiant-uncovers-devious-lateral-movement-techniques/
[7] https://www.infosecurity-magazine.com/news/chinese-threat-ttps-ivanti/
[8] https://techempiresolutions.wordpress.com/2024/04/05/researchers-find-multiple-chinese-hacking-groups-exploiting-ivanti-security-flaw/
[9] https://cybersecuritynews.com/chinese-hacking-groups-vpn/