Security News > 2024 > January > Number of orgs compromised via Ivanti VPN zero-days grows as Mandiant weighs in
Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team.
The software biz disclosed the vulnerabilities in Ivanti Connect Secure - the VPN server appliance previously known as Pulse Connect Secure - and its Policy Secure gateways on Wednesday.
A spokesperson for Ivanti told The Register the victim count was "Less than 10." It has since increased.
Mandiant is working with Ivanti to help clean up the mess, and on Friday weighed in with its own initial analysis, promising to add more details as its investigation into the matter continues.
In looking into the attacks, Mandiant saw that UNC5221 primarily used hijacked end-of-life Cyberoam VPN appliances as command-and-control servers in its attacks on Ivanti customers.
The threat hunters have identified five custom malware families used by UNC5221 after it infiltrates a target via the Ivanti flaws.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/13/ivanti_zeroday_mandiant_analysis/
Related news
- Ivanti warns of three more CSA zero-days exploited in attacks (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)