Subj : Ivanti bugs are still being targeted by Chinese hackers, Google w To : All From : TechnologyDaily Date : Fri Apr 05 2024 15:30:06 Ivanti bugs are still being targeted by Chinese hackers, Google warns Date: Fri, 05 Apr 2024 14:16:29 +0000 Description: Months after the patch was released, Ivanti tools are still being targeted, mostly by Chinese state-sponsored actors. FULL STORY ====================================================================== Hackers are still abusing multiple vulnerabilities in Ivanti products, which were discovered and patched early this year. Among them is Volt Typhoon, an infamous Chinese-backed hacking collective, warned cybersecurity researchers from Google-owned Mandiant, reporting multiple clusters of activity surrounding CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. These three flaws, affecting Ivanti Connect Secure and Ivanti Policy Secure gateways, were discovered early this year, after Ivanti warned of multiple hacking groups abusing them to take over vulnerable devices. Dropping malware and cryptominers Soon after, the US Cybersecurity and Infrastructure Security Agency (CISA) warned government agencies to patch the flaws immediately, as they were being used en-masse, mostly by Chinese-sponsored actors. The sharp increase in attacks started on or after January 11, with government agencies, small and medium-sized businesses (SMB), and enterprises, all falling victim. While the hackers did not choose any particular industry, the majority of the victims were in aerospace, banking, defense, and government. Mandiant said that it started tracking Volt Typhoon in February 2024, as it engaged in multiple campaigns against the energy and defense sectors in the U.S. Besides this hacking collective, the researchers said that four other groups were active, as well: UNC5221, UNC5266, UNC5330, and UNC5337. In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining, Mandiant said. Luckily enough, Mandiant says there is no evidence Volt Typhoon successfully breached anyones Connect Secure instances. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024, they said. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In places where the attackers had been successful, they would mostly deploy TERRIBLETEA, PHANTOMNET, TONERJAM, SPAWNSNAIL, and SPAWNMOLE malware variants. More from TechRadar Pro Ivanti warns Connect Secure zero-days exploited by hackers Here's a list of the best firewalls around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/ivanti-bugs-are-still-being-targeted-by -chinese-hackers-google-warns --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .