Jan 12, 2024 - Technology

Suspected China-backed hackers target unpatched flaws in popular remote work tool

Animated illustration of a siren flashing on top of a computer.

Illustration: Aïda Amer/Axios

Ivanti, a popular provider of enterprise work tools, confirmed that hackers are actively exploiting critical vulnerabilities in two of its products.

Why it matters: Ivanti has more than 40,000 customers, and attackers are believed to have been targeting customers for the last month before Ivanti discovered the problems.

Threat level: Researchers at cyber security firm Volexity suspect that a Chinese state-backed hacking group is actively targeting these security flaws to access companies' networks.

  • Ivanti has released new mitigations to make it harder to exploit these issues, but patches won't start to become available until the week of Jan. 22.

Details: The company said it's aware of fewer than 10 customers that hackers have targeted using the vulnerabilities.

  • The vulnerabilities affect Ivanti's Connect Secure VPN devices, formerly known as Pulse Secure, and its Ivanti Policy Secure tool.
  • Hackers can use the bugs to bypass user authentication protocols, as well as inject commands. Once inside, hackers have been able to steal configuration data and login credentials, modify existing company files, and download remote files, according to Volexity.
  • Volexity's researchers said in a blog post Wednesday that they believe hackers have been targeting the flaws since as early as Dec. 3.

The big picture: Hackers have gotten better at quickly identifying and exploiting so-called zero-day vulnerabilities, where a bug is exploited before a company has identified or patched it.

  • Experts anticipate that even more attacks will rely on zero-days in 2024.

Be smart: Ivanti has provided mitigation guidance to help keep hackers out of companies' networks until the full patches are ready.

  • Customers should also study their internal activity logs and other information for signs of an ongoing breach, Volexity recommended.

What we're watching: It often takes weeks or months for companies to identify when hackers used a zero-day vulnerability to access their systems.

Go deeper