Ivanti’s zero-day victims increase; Mandiant adds valuable insights

TLDR: The number of organizations compromised by zero-day bugs in Ivanti products is growing, according to Mandiant’s threat intelligence team. The vulnerabilities in Ivanti Connect Secure and Policy Secure gateways were disclosed by Ivanti and already exploited. The victim count, initially reported as less than 10, has since increased. Neither flaw currently has a patch, and Ivanti hopes to start rolling out patches in late January. The vulnerabilities allow for unauthenticated remote code execution, meaning attackers can take control of an organization’s Ivanti network appliances and infiltrate their IT environment. Mandiant has identified abuse of the bugs by a suspected espionage team, UNC5221, and has seen in-the-wild attacks as early as December. The attackers primarily used hijacked Cyberoam VPN appliances as command-and-control servers. The attackers also used various pieces of bespoke malware to achieve persistence and avoid detection. Mandiant’s investigation is ongoing, and the victim count is likely to continue to grow as organizations discover their compromised devices.