Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ivanti VPN Exploitation. Show all posts
malware
Data Theft Hacking Ivanti VPN Exploitation malware

Hackers Exploit Ivanti VPN Flaw to Install New Malware

 



A newly discovered vulnerability in Ivanti Connect Secure VPN systems, called CVE-2025-0282, has been actively exploited by hackers to deploy custom malware. This critical security flaw affects older versions of Ivanti’s VPN appliances, including Connect Secure, Policy Secure, and Neurons for ZTA gateways. Despite the wide impact, Ivanti has clarified that the attacks are currently limited to a small number of users.

The problem was a stack-based buffer overflow that could be exploited by hackers using specially crafted requests to breach systems. The breaches were reported to have started in December 2024 by Mandiant, a leading cybersecurity firm. Hackers accessed the compromised devices using this flaw, disabled all important security settings, and installed malicious software.

New Malware Families Identified

During the course of the investigation, two other malware variants, Dryhook and Phasejam, were discovered on infected systems. There is no established connection between these malware families and any known hacking groups. In addition, hackers utilized a toolkit named Spawn, which is also used by suspected Chinese espionage groups. 

Dryhook: This malware captures login credentials, such as usernames and passwords, during the authentication process.

Phasejam: A dropper that installs malicious web shells, allowing hackers to execute commands remotely.  

How the Attack Works  

The attack process involves several steps:  

1. Identifying Targets: Hackers scan devices using specialized HTTP requests to identify vulnerable systems.  

2. Exploitation: They exploit the CVE-2025-0282 flaw to bypass security.

3. Malware Deployment: They disable protections, modify system files, and install tools such as backdoors and tunneling utilities once inside.  

4. Data Theft: They steal sensitive information, including session details and credentials. This data is often archived and staged for transfer via public servers.  

5. Maintaining Access: Hackers alter upgrade processes, making their changes persist even after system updates.

When the vulnerability was discovered, more than 3,600 Ivanti VPN devices were exposed online. Although the number decreased to around 2,800 after the software patch, most systems are still exposed to this threat.

What Can Be Done? 

To defend against this threat, Ivanti advises doing the following:

  • Update Software: Install the latest version of Ivanti Connect Secure, version 22.7R2.5 or newer.
  • Factory Reset: That would erase the entire malware infection by resetting the device.  
  • Monitor for Signs of Attack: That would use Mandiant's shared IoCs and detection rules to identify malicious activity.  

Why it Matters

This makes it strongly essential for organizations to pay much heed to their cybersecurity. Hackers have become really intricate in operation, where they steal the most sensitive data from widely used systems such as VPNs. Businesses need to be alert and update their system with frequent revisions in the security policies to curb these threats.




Read more »
VPN security
CISA Cyber Attacks Ivanti Ivanti security flaws Ivanti VPN Exploitation Security Breach VPN VPN security

Lessons from the Ivanti VPN Cyberattack: Security Breaches and Mitigation Strategies

 

The recent cyberattack on Ivanti’s VPN software has prompted swift action from the Cybersecurity and Infrastructure Security Agency (CISA). This incident not only highlights the need for stronger cybersecurity measures but also raises important questions about exploit techniques, organizational responses to security breaches, and the escalating costs associated with downtime. 

The vulnerabilities in Ivanti’s VPN gateway allowed threat actors to bypass authentication and gain unauthorized access. Attackers could send maliciously crafted packets to infiltrate the system without needing to steal credentials, giving them access to user credentials, including domain administrator credentials. A second vulnerability enabled the injection of malicious code into the Ivanti appliance, allowing attackers to maintain persistent access, even after reboots or patches. Security researchers, including Mandiant, identified that Ivanti’s initial mitigations were insufficient. 

CISA warned that Ivanti’s interim containment measures were not adequate to detect compromises, leaving systems vulnerable to persistent threats. This uncertainty about the effectiveness of proposed mitigations necessitated CISA’s prompt intervention. The ability of attackers to gain persistent access to a VPN gateway poses significant risks. From this trusted position, attackers can move laterally within the network, accessing critical credentials and data. The compromise of the VPN allowed attackers to take over stored privileged administrative account credentials, a much more severe threat than the initial breach. In response to the breach, CISA advised organizations to assume that critical credentials had been stolen. 

Ivanti’s failure to detect the compromise allowed attackers to operate within a trusted zone, bypassing zero-trust principles and exposing sensitive data to heightened risks. The severity of the vulnerabilities led CISA to take the unusual step of taking two of Ivanti’s systems offline, a decision made to protect the most sensitive credentials. Despite later clarifications from Ivanti that patches could have been applied more discreetly, the miscommunications highlight the importance of clear, open channels during a crisis. Mixed messages can lead to unnecessary chaos and confusion. System-level downtime is costly, both in terms of IT resources required for shutdown and recovery and the losses incurred from service outages. 

The exact cost of Ivanti’s downtime remains uncertain, but for mission-critical systems, such interruptions are extremely expensive. This incident serves as a warning about the costs of addressing the aftermath of a cyberattack. CISA’s decision to shut down the systems was based on the potential blast radius of the attack. The trusted position of the VPN gateway and the ability to export stored credentials made lateral movement easier for attackers. 

Building systems based on the principle of least privilege can help minimize the blast radius of attacks, reducing the need for broad shutdowns. The Ivanti VPN cyberattack underscores the pressing need for robust cybersecurity measures. Organizations must adopt proactive infrastructure design and response strategies to mitigate risks and protect critical assets. Reducing the number of high-value targets in IT infrastructure is crucial. Privileged account credentials and stored keys are among the highest value targets, and IT leaders should prioritize strategies and technologies that minimize or eliminate such targets. 
Read more »
Zero-Day Vulnerabilities
Cyber Crime Ivanti VPN Exploitation State-Sponsored Threats Transparancy Zero-Day Vulnerabilities

MITRE Breach: State Hackers Exploit Ivanti Zero-Days


A state-backed hacking group successfully breached MITRE Corporation’s systems in January 2024 by exploiting two Ivanti VPN zero-day vulnerabilities. 

The incident was detected after suspicious activity was observed on MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. Fortunately, the breach did not impact MITRE’s core enterprise network or its partners’ systems.

The MITRE Corporation

The MITRE Corporation claims that in January 2024, a state-sponsored hacking organization infiltrated its systems by chaining two Ivanti VPN zero-days.

The issue was discovered when suspicious activity was noticed on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaboration network for research and development.

So far, evidence gathered throughout the inquiry indicates that the breach had no impact on the organization's core enterprise network or the systems of its partners.

The Breach

MITRE has since alerted affected parties of the incident, contacted appropriate authorities, and is currently attempting to restore "operational alternatives."

"No organization is immune to this type of cyber attack, not even one that strives for the highest level of cybersecurity," MITRE CEO Jason Providakes stated on Friday.

MITRE CTO Charles Clancy and Cybersecurity Engineer Lex Crumpton noted in a separate advisory that the threat actors broke into one of MITRE's Virtual Private Networks (VPNs) by chaining two Ivanti Connect Secure zero-days.

They were also able to circumvent multi-factor authentication (MFA) barriers by exploiting session hijacking, which allowed them to travel laterally around the penetrated network's VMware architecture using a compromised administrator account.

Throughout the event, the hackers exploited a combination of sophisticated webshells and backdoors to gain access to compromised systems and harvest credentials.

Since early December, two security vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), have been used to distribute several malware families for espionage objectives.

Global Impact

Mandiant tied these assaults to an advanced persistent threat (APT) known as UNC5221, while Volexity discovered evidence that Chinese state-sponsored hackers were using the two zero-days.

Volexity stated that Chinese hackers backdoored over 2,100 Ivanti appliances, gathering and stealing account and session data from compromised networks. The victims ranged in size from small firms to some of the world's largest organizations, including Fortune 500 companies in a variety of industries.

Because of their widespread exploitation and large attack surface, CISA issued this year's first emergency directive on January 19, instructing government agencies to mitigate the Ivanti zero-days immediately.

Read more »
Subscribe to: Posts (Atom)