The U.S. National Security Agency (NSA) has disclosed its surveillance of cyberattacks exploiting vulnerabilities in Ivanti’s widely utilized enterprise VPN appliance, with specific targeting observed within the U.S. defense sector.
NSA spokesperson Edward Bennett, in response to inquiries from TechCrunch, confirmed on Friday that the agency, alongside its interagency partners, is actively “tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include the U.S. defense sector.” He further stated that the NSA’s Cybersecurity Collaboration Center continues its collaborative efforts to detect and mitigate these malicious activities.
This confirmation follows recent reports by Mandiant revealing extensive attempts by suspected Chinese espionage hackers to exploit vulnerabilities in Ivanti Connect Secure, a prevalent remote access VPN software employed by numerous corporations and large entities worldwide.
Mandiant’s analysis unveiled that the threat group UNC5325, purportedly linked to Chinese espionage, has systematically targeted various sectors, including the U.S. defense industrial base, leveraging its adept understanding of Ivanti Connect Secure and employing sophisticated evasion tactics, such as “living-off-the-land” techniques and novel malware deployment.
A subsequent advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) echoed these concerns, warning of potential root-level persistence even after factory resets, and highlighted the challenges in detecting compromise post-exploitation.
In response, Ivanti’s Chief Information Security Officer, Mike Riemer, contested CISA’s assertions, expressing confidence in the efficacy of Ivanti’s security updates and reset protocols.
The scope of impact remains uncertain, although analyses by Akamai suggest a substantial volume of exploitation attempts, exceeding 250,000 daily, targeting over 1,000 customers since the campaign’s inception in January.
