Ivanti bugs are still being targeted by Chinese hackers, Google warns

A person at a laptop with a cybersecure lock symbol floating above it.
(Image credit: Shutterstock / laymanzoom)

Hackers are still abusing multiple vulnerabilities in Ivanti products, which were discovered and patched early this year. 

Among them is Volt Typhoon, an infamous Chinese-backed hacking collective, warned cybersecurity researchers from Google-owned Mandiant, reporting “multiple clusters of activity” surrounding CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. 

These three flaws, affecting Ivanti Connect Secure and Ivanti Policy Secure gateways, were discovered early this year, after Ivanti warned of multiple hacking groups abusing them to take over vulnerable devices.

Dropping malware and cryptominers

Soon after, the US Cybersecurity and Infrastructure Security Agency (CISA) warned government agencies to patch the flaws immediately, as they were being used en-masse, mostly by Chinese-sponsored actors. 

The sharp increase in attacks started on or after January 11, with government agencies, small and medium-sized businesses (SMB), and enterprises, all falling victim. While the hackers did not choose any particular industry, the majority of the victims were in aerospace, banking, defense, and government.

Mandiant said that it started tracking Volt Typhoon in February 2024, as it engaged in multiple campaigns against the energy and defense sectors in the U.S. Besides this hacking collective, the researchers said that four other groups were active, as well: UNC5221, UNC5266, UNC5330, and UNC5337.

“In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining,” Mandiant said. 

Luckily enough, Mandiant says there is no evidence Volt Typhoon successfully breached anyone’s Connect Secure instances.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” they said. “Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure.”

In places where the attackers had been successful, they would mostly deploy TERRIBLETEA, PHANTOMNET, TONERJAM, SPAWNSNAIL, and SPAWNMOLE malware variants. 

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
vpn
Ivanti warns another critical security flaw is being attacked
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
The best free firewall
Palo Alto warns another major firewall hack has been detected
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does