Nearly 20 organizations using vulnerable Ivanti Connect Secure VPN appliances were reported by Ivanti to have been compromised by attacks leveraging zero-day flaws, tracked as CVE-2023-46805 and CVE-2024-21887, as part of an exploit chain, up from the fewer than 10 entities initially disclosed to be impacted, with the toll of affected organizations still expected to increase, The Hacker News reports.
Such a development comes as both vulnerabilities were noted by Mandiant to have been leveraged by suspected state-sponsored threat operation, tracked as UNC5221, to facilitate the deployment of up to five distinct custom malware families since early last month. Included in the malware distributed by UNC5221 using the flaws were the ZIPLINE backdoor, which features file uploading and downloading, as well as proxy server creation capabilities; the WARPWIRE credential harvester; the THINSPOOL shell script dropper, and the LIGHTWIRE web shell, according to the Mandiant report. The findings, which come after a Volexity report linking exploitation of the Ivanti bugs to Chinese cyberespionage operation UTA0178, suggest "that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released," said Mandiant.
Such a development comes as both vulnerabilities were noted by Mandiant to have been leveraged by suspected state-sponsored threat operation, tracked as UNC5221, to facilitate the deployment of up to five distinct custom malware families since early last month. Included in the malware distributed by UNC5221 using the flaws were the ZIPLINE backdoor, which features file uploading and downloading, as well as proxy server creation capabilities; the WARPWIRE credential harvester; the THINSPOOL shell script dropper, and the LIGHTWIRE web shell, according to the Mandiant report. The findings, which come after a Volexity report linking exploitation of the Ivanti bugs to Chinese cyberespionage operation UTA0178, suggest "that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released," said Mandiant.
