Ivanti Connect Secure products have been subjected to a torrent of attacks in recent weeks, according to analysis from Akamai, with over a quarter of a million attempts recorded each day.
Akamai’s observations come in the wake of an initial vulnerability disclosure in January.
The firm disclosed the presence of zero-day vulnerabilities which specifically affected two Ivanti systems, the Ivanti Connect Secure and Ivanti Policy Secure gateways.
In a security advisory issued by Ivanti at the time, it was revealed that successful exploitation requires chaining two other vulnerabilities together.
CVE-2023-46805, the first of the two, is an authentication bypass vulnerability, achieved by using path traversals to get around access control checks.
The second, CVE-2024-21887, allows an authenticated user with admin privileges to execute arbitrary commands.
In tandem, a threat actor is able to engage in remote code execution, compromising the integrity of an organization's VPN and allowing a foothold in critical systems.
According to Akamai, intense scanning by threat actors who sought to exploit this vulnerability began in mid-January when the vulnerability was revealed in more detail.
Exploitation attempts skyrocketed, prompting the Cybersecurity and Infrastructure Agency (CISA) to express concern. CISA described Ivanti’s VPNs as liable for creating an “unacceptable risk” in the cyber security landscape.
Despite these outcries, however, the vulnerability has remained persistently problematic so far.
Akamai said it recorded a substantial surge in “widespread exploitation” of Ivanti Connect Secure and Ivanti Policy Secure in the 24 hours following the vulnerability's disclosure.
Most of these attack attempts were probes, the firm said, in which threat actors attempted to deliver payloads with the intention of sending beacon requests back to attacker-controlled domains.
This, in turn, would provide a proof of concept (PoC) for successful remote command execution.
Ivanti Connect Secure threats are still pervasive
The volume of these attacks has been huge, with around a quarter of a million attempts waged each day on the Ivanti products.
Over a thousand customers have been targeted so far, according to Akamai, and over 10,000 domains have been affected, highlighting the scale of threats faced by users. The vast majority are enterprise-level clients.
Security company Volexity, who had been tracking the hackers in January, dubbed the group responsible as ‘UTA0178,’ a China-backed malicious actor cohort. The latest data, though, may suggest otherwise.
Akamai observed over 3,300 unique attacking IP addresses, as well as attack traffic from 18 different countries, suggesting that this is likely a more global and more widespread problem.
“Understanding and fortifying the security measures surrounding Ivanti Connect Secure becomes imperative to safeguard against potential cyber threats and intrusions that are targeting enterprise networks,” Akamai said.
