The U.S. National Security Agency (NSA) has confirmed that hackers are exploiting vulnerabilities in Ivanti’s enterprise VPN appliance to target organizations in the U.S. defense sector. This confirmation comes after Mandiant reported that suspected Chinese espionage hackers have been making “mass attempts” to exploit multiple vulnerabilities impacting Ivanti Connect Secure, a popular remote access VPN software used by thousands of corporations and large organizations worldwide.
Key Takeaway
The NSA is actively tracking cyberattacks exploiting Ivanti’s VPN vulnerabilities, with a focus on the U.S. defense sector. The threat group UNC5325, suspected to be backed by China, has demonstrated significant knowledge of the Ivanti Connect Secure appliance and is employing advanced techniques to evade detection.
NSA’s Response
NSA spokesperson Edward Bennett stated that the U.S. intelligence agency, along with its interagency counterparts, is actively tracking and aware of the broad impact from the recent exploitation of Ivanti products, including the U.S. defense sector. The NSA’s Cybersecurity Collaboration Center is working with partners to detect and mitigate this activity.
Threat Group UNC5325
Mandiant’s report highlighted that the threat group UNC5325, suspected to be backed by China, has targeted organizations across various industries, including the U.S. defense industrial base sector. The hackers have demonstrated significant knowledge of the Ivanti Connect Secure appliance and have employed living-off-the-land techniques to evade detection. Additionally, they have deployed novel malware to remain embedded in Ivanti devices, even after factory resets, system upgrades, and patches.
CISA’s Advisory
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that hackers exploiting vulnerable Ivanti VPN appliances may be able to maintain root-level persistence even after performing factory resets. CISA’s independent tests showed that attackers can deceive Ivanti’s Integrity Checker Tool, resulting in a “failure to detect compromise.”
