Mandiant (part of Google Cloud)’s Post

“Since our last blog post on Ivanti exploitation, Mandiant has identified UNC5325 exploiting CVE-2024-21893 (SSRF) to deploy additional malware and maintain persistent access to compromised appliances. In addition, we have observed new TTPs that attempted to enable the custom backdoors to persist across factory resets, system upgrades, and patches. The limited attempts observed to maintain persistence have not been successful to date.”

This is just so fascinating case, no less so that now Mandiant connects (with moderate confidence) UNC5325 that is behind Ivanti exploitation with UNC3886, which is a group that went after VMware vCenter and ESXi.

"Ivanti customers are urged to take immediate action to ensure protection if they haven't done so already. A new version of the external Integrity Checking Tool (ICT), which helps detect these persistence attempts, is now available. See Ivanti's security advisory and refer to our updated remediation and hardening guide, which includes the latest recommendations." https://lnkd.in/gvqixMYs

🚨 Security Alert: Ivanti Connect Secure Vulnerabilities Exploited by UNC5325 🚨 Our latest investigation, in collaboration with Ivanti, uncovers ongoing zero-day exploitation impacting a range of industries, including the U.S. defense sector. UNC5325, a China-nexus threat actor, utilizes living-off-the-land techniques and deploys novel malware like LITTLELAMB.WOOLTEA to persistently target priority systems. 🔍 Key Findings: Mandiant & Ivanti identify mass Ivanti zero-day exploitation by China-nexus actors. UNC5325 deploys advanced techniques, attempting to persist across upgrades and patches. Successful exploitation observed on Ivanti Connect Secure appliances. 🛠️ Mitigation & Recommendations: Ivanti releases Integrity Checking Tool (ICT) to detect persistence attempts. Urgent action required: Update appliances, follow remediation guides. Enhanced vigilance urged due to evolving TTPs and potential new threat actors leveraging these vulnerabilities. 📅 Vulnerability Overview: Five disclosed vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, CVE-2024-22024) affecting Ivanti Connect Secure and related products. 🌐 #CyberSecurity #ThreatIntelligence #ZeroDay #Ivanti #UNC5325 #VulnerabilityManagement #IncidentResponse

#informationsecurity #itsecurity #cybersecurity #cybersecurityawareness #patchmanagement #vulnerabilitymanagement Despite initial mitigations, attackers bypassed defenses, compromising even the device's configuration files, leading Ivanti to postpone its firmware patches, scheduled for January 22, to address the sophisticated threat. Due to the situation with active exploitation of multiple critical zero-day vulnerabilities, lack of effective mitigations, and lack of security updates for some of the impacted product versions, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances. https://lnkd.in/eRZDSgwP

Newly identified botnet targets decade-old flaw in unpatched D-Link devices. Why it matters: 1. The emergence of the Goldoon botnet underscores the importance of regularly updating and patching hardware. Even decade-old vulnerabilities can be exploited to infiltrate systems, carry out remote code execution, and launch DDoS attacks. 2. The sharp increase in Goldoon's activity in April signals the ongoing evolution of botnets as hackers continue to exploit older, yet unpatched security flaws to expand their attack networks. 3. Recent warnings from U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlight the ongoing national security risks posed by unpatched hardware, not just with D-Link but also other companies, underscoring the urgency for federal agencies to replace or retire obsolete devices. Learn more by visiting The Record from Recorded Future News: https://lnkd.in/eFaxG2hF

🚨 Critical Infrastructure Security Alert 🌐 CISA Warns of Ongoing Exploitation: QNAP NVR and Future X Communication Router Vulnerabilities 🔍 Current Threat Landscape: SecurityWeek highlights a crucial warning from the Cybersecurity and Infrastructure Security Agency (CISA) regarding active attacks on organizations within IT and commercial critical infrastructure sectors. The focus is on exploiting known vulnerabilities in QNAP network video recorder devices and Future X Communications routers. 🔓 Vulnerability Details: CISA's advisories pinpoint high-severity vulnerabilities: CVE-2023-47565: QNAP VioStor NVR devices. CVE-2023-49897: FXC's AE1021 and AE1021PE outlet wall routers. 🌐 Exploitation Insights: Akamai reports ongoing exploitation in the InfectedSlurs campaign. Malicious payloads captured in the wild install a Mirai-based malware, aiming to create a distributed denial-of-service (DDoS) botnet. 🛡️ Security Measures: Immediate Action: Organizations urged to apply available patches promptly. Default Password Risks: Both flaws may have originated from default passwords, emphasizing the need for password hygiene. 🔗 Remediation Efforts: Vendors have already patched the vulnerabilities. QNAP's fix dates back almost a decade, emphasizing the significance of timely updates. 🚀 Stay vigilant against evolving threats. 🔐💻#CriticalInfrastructure #VulnerabilityManagement #CISA #QNAPNVR #FutureXCommunication #CyberSecurity #InfoSecLeadership

Internet exposed OT devices can be more vulnerable to cyber attacks than other devices, either because they weren't designed with security in mind or because traditional security processes and tools aren't designed to operate on OT devices. Nevertheless, it's a real risk, and a growing concern. It's one more benefit of Protective DNS (PDNS) and deploying PDNS as the first step in your zero-trust implementation. Everything uses the network, and looking at the network traffic to identify anomalous communication and highlight malware talking to command-and-control is a common denominator across all devices. Perhaps that why CISA and the NSA recommend deploying PDNS, or why it's making its way into various security standards and models. If you haven't deployed PDNS yet, or are re-thinking your strategy, talk to the experts at HYAS. Your PDNS isn't worthwhile if it doesn't excel at efficacy and correctness, or flexibility and configurability of deployment, and maybe that's why HYAS Protect wins so many awards. Come find out why -- HYAS Protect can seamlessly drop into your existing environment -- and join the HYAS community around the world. #OT #cybersecurity #protectiveDNS #cyberesiliency https://lnkd.in/gBHdd-JY

🚨URGENT SECURITY ALERT🚨 The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances due to multiple critical zero-day vulnerabilities. Private organizations should seriously consider the security status of their Ivanti deployments and the trust of their environment in general. Stay informed and stay safe. #cybersecurity #securityalert #ivanti #zerodayvulnerabilities If you currently use Ivanti or have Ivanti deployments and require information on more secure options or alternatives, please contact me via in-mail or @: craig.mccann@exampleit.com.

In a world full of connected devices, it isn't "if" things will get hacked, it is "when". Cybersecurity is of paramount importance and protecting your enterprise is top to bottom. https://lnkd.in/g3iwJkEk