The Ivanti enterprise VPN application is being exploited by hackers to target the US defense sector, the US National Security Agency has confirmed.
The U.S. defense sector provides equipment and technology for the U.S. military, making a potential compromise from Chinese-backed groups significantly concerning.
Speak with TechCrunchNSA spokesman Edward Bennett said the agency is “monitoring the broad impact of the recent exploitation of Ivanti products and is aware of the (sic) U.S. defense sector.”
250,000 exploitation attempts per day
Prior to the NSA confirmation, Mandiant declared a Chinese-backed group, tracked as UNC5325, actively used the Ivanti Connect Secure software to infiltrate thousands of organizations around the world. The exploits in question are tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.
The UNC5325 group carries out complex attacks and uses techniques such as living off the land to remain incognito while infiltrating target organizations. The US Cybersecurity & Infrastructure Security Agency (CISA) has a advisory which stated that the group can remain active within compromised devices even after a factory reset.
It is also possible to fool the built-in Ivanti Integrity Checker Tool during an attack that causes the tool to “fail to detect a compromise” according to CISA’s own testing. Furthermore, a report published by Akamai say that the UNC5325 group could launch as many as 250,000 attacks every day on a reach of more than 1,000 customers.
Ivanti field CISO Mike Riemer said TechCrunch the company “is not aware of any instances of successful threat actor persistence after implementing the security updates and factory resets recommended by Ivanti.”
The attacks have been happening since January 2024, but the Biden administration has taken steps to boost national security by improving cybersecurity at ports and pressuring companies to switch to memory-safe programming languages.