The U.S. National Security Agency has confirmed that hackers exploiting flaws in Ivanti’s widely used enterprise VPN appliance have targeted organizations across the U.S. defense sector.
NSA spokesperson Edward Bennett confirmed in an emailed statement to TechCrunch on Friday that the U.S. intelligence agency, along with its interagency counterparts, is “tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include of the [sic] U.S defense sector.”
“The [NSA’s] Cybersecurity Collaboration Center continues to work with our partners to detect and mitigate this activity,” the spokesperson added.
Confirmation that the NSA is tracking these cyberattacks comes days after Mandiant reported that suspected Chinese espionage hackers have made “mass attempts” to exploit multiple vulnerabilities impacting Ivanti Connect Secure, the popular remote access VPN software used by thousands of corporations and large organizations worldwide.
Mandiant said earlier this week that the China-backed hackers tracked as a threat group it calls UNC5325 had targeted organizations across a variety of industries. This includes the U.S. defense industrial base sector, a worldwide network of thousands of private sector organizations that provide equipment and services to the U.S. military, Mandiant said, citing earlier findings from security firm Volexity.
In its analysis, Mandiant said UNC5325 demonstrates “significant knowledge” of the Ivanti Connect Secure appliance and has employed living-off-the-land techniques — the use of legitimate tools and features already found in the targeted system — to better evade detection, Mandiant said. The China-backed hackers have also deployed novel malware “in an attempt to remain embedded in Ivanti devices, even after factory resets, system upgrades, and patches.”
This was echoed in an advisory released by U.S. cybersecurity agency CISA on Thursday, which warned that hackers exploiting vulnerable Ivanti VPN appliances may be able to maintain root-level persistence even after performing factory resets. The federal cybersecurity agency said its own independent tests showed successful attackers are capable of deceiving Ivanti’s Integrity Checker Tool, which can result in a “failure to detect compromise.”
In response to CISA’s findings, Ivanti field chief information security officer Mike Riemer downplayed CISA’s findings, telling TechCrunch that Ivanti does not believe CISA’s tests would work against a live customer environment. Riemer added that Ivanti “is not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”
It remains unknown exactly how many Ivanti customers are affected by the widespread exploitation of the Connect Secure vulnerabilities, which began in January.
Akamai said in an analysis published last week that hackers are launching approximately 250,000 exploitation attempts each day and have targeted more than 1,000 customers.