Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Ivanti bugs are still being targeted by Chinese hackers, Google warns

A person at a laptop with a cybersecure lock symbol floating above it.

Hackers are still abusing multiple vulnerabilities in Ivanti products, which were discovered and patched early this year. 

Among them is Volt Typhoon, an infamous Chinese-backed hacking collective, warned cybersecurity researchers from Google-owned Mandiant, reporting “multiple clusters of activity” surrounding CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. 

These three flaws, affecting Ivanti Connect Secure and Ivanti Policy Secure gateways, were discovered early this year, after Ivanti warned of multiple hacking groups abusing them to take over vulnerable devices.

Dropping malware and cryptominers

Soon after, the US Cybersecurity and Infrastructure Security Agency (CISA) warned government agencies to patch the flaws immediately, as they were being used en-masse, mostly by Chinese-sponsored actors. 

The sharp increase in attacks started on or after January 11, with government agencies, small and medium-sized businesses (SMB), and enterprises, all falling victim. While the hackers did not choose any particular industry, the majority of the victims were in aerospace, banking, defense, and government.

Mandiant said that it started tracking Volt Typhoon in February 2024, as it engaged in multiple campaigns against the energy and defense sectors in the U.S. Besides this hacking collective, the researchers said that four other groups were active, as well: UNC5221, UNC5266, UNC5330, and UNC5337.

“In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining,” Mandiant said. 

Luckily enough, Mandiant says there is no evidence Volt Typhoon successfully breached anyone’s Connect Secure instances.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” they said. “Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure.”

In places where the attackers had been successful, they would mostly deploy TERRIBLETEA, PHANTOMNET, TONERJAM, SPAWNSNAIL, and SPAWNMOLE malware variants. 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.