Security News > 2024 > January > Infoseccers think attackers backed by China are behind Ivanti zero-day exploits

Security experts believe Chinese nation-state attackers are actively exploiting two zero-day vulnerabilities in security products made by Ivanti.

Ivanti believes fewer than ten victims have been successfully attacked thus far, but according to a Shodan scan by Beaumont, the number of vulnerable gateways exposed to the internet is just north of 15,000.

Researchers at Volexity disclosed the findings from an investigation into a customer believed to be one of the victims successfully targeted by attacks chaining two zero-days in Ivanti Connect Secure and Policy Secure gateways.

"In [one] particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance. Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool.".

Neither Ivanti nor Volexity have suggested the apparent motives of the attackers.

If the China nexus of the attacks is genuine, the country's actions in cyberspace have traditionally been focused on espionage and the theft of intellectual property, though it is widely believed it has the capability to launch highly disruptive attacks.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/11/china_backed_ivanti_exploits/