Ivanti VPN security flaws are being attacked again by Chinese hackers

A known group is demonstrating “significant knowledge” of the Ivanti Connect Secure appliance

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The recently discoveredIvanti VPN security flawsare still being abused, researchers have claimed - with Chinese hackers now taking advantage of the vulnerabilities to deploy all kinds of malware.

Cybersecurity researchers fromGoogle-owned Mandiant have claimed the Chinese group UNC5325 is using a combination of living-off-the-land techniques to prevent being detected on the devices, as it drops novelmalware.

This malware, the researchers argue, can survive factory resets, system upgrades, and patches.

Unsupported OS and other woes

In order to achieve it, the Chinese hackers gained a “nuanced understanding” and “significant knowledge” of the Ivanti Connect Secure appliance. Users should “immediately take action to ensure protection if they haven’t done so already,” Mandiant says, pointing the users to the direction of Ivanti’s latestsecurity advisory.

Furthermore, users should use Ivanti’s new external integrity checker, as well as Mandiant’s updated Hardening Guide.

The researchers also said that there is a possibility of a second threat actor, tracked as UNC3886, also jumping on the bandwagon. While some reports put this threat actor under the command of the Chinese government, others argue that UNC5325 and UNC3886 are the same entity.

In early January 2024, Ivanti reported discovering and patching a critical remote code execution (RCE) vulnerability in one of its products, which could have allowed threat actors to drop all kinds of malware. Soon after, all hell broke loose for Ivanti, as it later discovered a handful of additional vulnerabilities, which were getting exploited on a massive scale, by threat actors from all over the world.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Subsequent investigation uncovered that Ivanti used the CentOS 6.4.operating systemfor its products, which was unsupported for years at that point:

“Pulse Secure runs an 11-year-old version of Linux which hasn’t been supported since November 2020,” security analysts from Eclypsium said in a report analyzing firmware version 9.1.18.2-24467.1.

In early February, the US government told its agencies using Ivanti Connect Secure and Ivanti Policy Secure todisconnect these solutions immediatelyand not turn them back on until they’re absolutely certain they’ve been properly patched, and their networks disinfected from possible hacker incursions.

The patches Ivanti released are effective, but only if they were applied before any incursions. If a threat actor established persistence on an endpoint beforehand, applying the fix will not help.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Should your VPN always be on?

3 reasons why PIA fell in our best VPN rankings

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)