Network Security, Patch/Configuration Management, Endpoint/Device Security
One of two new high-severity bugs in Ivanti exploited in the wild

(Adobe Stock)
Ivanti reported on two new high-severity bugs affecting Ivanti Connect Secure and Policy Secure products, one of them of which has been exploited in the wild.The flaw exploited in the wild — CVE-2024-21893 — appears to be targeted, said Ivanti said in a Jan. 31 notice to customers where it also released patches.Ivanti also said it expected a sharp increase in exploitation as the information becomes public, and that it's not aware that the other bug disclosed Wednesday — CVE-2024-21888 — has impacted any customers.To add to the seriousness of these flaws, since initially writing about earlier Ivanti vulnerabilities on Jan. 12, Mandiant's researchers identified broad exploitation activity both by the original threat actor — UNC5221 — as well as various other uncategorized threat groups. In a blog post Jan. 31, Mandiant now classifies UNC5221 as a suspected China-nexus espionage threat actor, and has seen a mitigation bypass technique used in the wild. This led to the deployment of a custom Webshell tracked as “BUSHWALK,” which allows the attacker to read or write to files on a server.“After further analysis of UNC5221’s TTPs, Mandiant now suspects that UNC5221 is a Chinese-nexus threat actor,” said Charles Carmakal, Mandiant Consulting CTO. “We’re aware that Volexity initially suspected this, but Mandiant didn’t have enough data to independently determine UNC5221’s origin and corroborate this claim until now."
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds