Ivanti, a company specializing in IT management and cybersecurity solutions, says it has discovered two vulnerabilities in its VPN services. The first vulnerability “allows an unauthenticated attacker to cause remote execution of arbitrary code”, warns the French government’s Center for Monitoring, Alerting and Response to Computer Attacks, which relayed Ivanti’s alert.
According to the Utah-based company, the flaw is a critical buffer overflow error, a vulnerability that occurs when a program writes more data to a memory space than it is designed to hold. It is considered critical.
A trio of viruses under attack
By Ivanti’s admission, the breach was exploited by cybercriminals to spread malware. However, the number of victims remains limited, Ivanti reassures. According to investigations by researchers at Mandiant, a subsidiary of Google, the vulnerability has allowed a trio of viruses, namely Spawn, Dryhook and Phasejam, to be spread since mid-December.
For the moment, Mandiant is unable to link the exploitation to a specific hacker gang. However, suspicions fall on two cyberespionage groups financed by China. Mandiant notes that "multiple actors may be responsible for the creation and deployment" of the different virus families.
Data theft
The hackers' goal appears to be to steal databases stored on the device, often containing sensitive information such as VPN sessions, session cookies, API keys, certificates, or other credentials. Usernames and passwords are also intercepted and exfiltrated during authentication processes.
In the process, Ivanti says it has discovered a second memory corruption vulnerability in its VPN tools. High severity, it requires authentication to be used and only allows for privilege escalation.
Ivanti emphasizes that it has deployed a patch to address both vulnerabilities. However, the patch for the Policy Secure and Neurons for ZTA (Zero Trust Access) gateways will have to wait until January 21, 2025. This is not the first flaw identified in Ivanti's Connect Secure products. A few months ago, the Cybersecurity and Infrastructure Security Agency (CISA) was hacked through vulnerabilities in products designed by Ivanti. The agency had neglected to update two systems with the patches.
Source: Ivanti
0 Comments