Volt Typhoon Compromises U.S. Critical Infrastructure (AA24-038A)

Description

Researchers have uncovered active exploitation of two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in Ivanti Connect Secure VPN devices. These vulnerabilities allow unauthenticated remote code execution, involving an authentication-bypass flaw and a command-injection vulnerability in various web components. The attackers were found to be placing webshells on both internal and external web servers. Additionally, the investigation revealed that the ICS VPN appliance had its logs wiped and logging disabled, with suspicious inbound and outbound communication detected from its management IP address in historic network traffic. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Volexity and shared publicly https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/