Ivanti Zero-days – What You Need to Know
By Karla Reffold
Cyber news this week includes multiple headlines about zero-days in the Ivanti Connect Secure and Policy Secure gateway products.1 The company announced two zero-days (CVE 2024-21887 and 2023-46805) on January 10th and an additional two zero-days in this investigation (CVE 2024-21888 and CVE 2024-28193). On January 31st, CISA issued an advisory notice instructing federal agencies to disconnect these Ivanti products by February 3rd2 and provided mitigation suggestions to organizations.
Of the four zero-days, active exploitation has been observed for three of them. Ivanti has stated there is no evidence of exploitation for CVE 2024-21888. This is a common issue when companies announce new vulnerabilities as not all of them will be under exploitation, and some may not even be exploitable.
It is important to note that the exploitation has been attributed to a Chinese espionage group, tracked as UNC5221. This identifier is new and has been created as this campaign is investigated further. Espionage groups typically target government organizations or organizations that have intellectual property aligned to their goals. As such, the directive by CISA is justified, but the urgency may not be as relevant to smaller businesses without information of interest to nation-state threat actors. However, financially motivated threat actors may adapt their techniques in the coming weeks to take advantage of the new vulnerabilities.
While delayed, Ivanti issued patches for these vulnerabilities on January 31st. The CISA statement advises organizations to conduct threat hunting on their systems if they have been running these products in the last few weeks. Details of threat actor activity after exploitation and indicators of compromise (IOCs) can be found here.
Takeaways
- Organizations that are a target for nation-states should pay particular attention to this campaign and mitigation advice.
- Organizations that are not a target should patch their systems and conduct threat-hunting.
- Organizations should continue to prioritize vulnerabilities that are known to be exploited before prioritizing others.
Share News
New SIM Swapping Attacks
By Karla Reffold According to new research, eSIM cards are being hijacked for cyber attacks. eSIM cards are remotely programmable chips that are stored within ... Learn More
Google engineer stealing AI secrets
By Karla Reffold The U.S. Department Of Justice announced this week an indictment against an engineer who stole Google’s intellectual property (IP) while he worked ... Learn More
Enhancing Cybersecurity: Recent Vendor Advancements
By Karla Reffold In the past few weeks there has been a number of positive vendor updates focused on improving security for their users. Apple ... Learn More
