Numerous intrusions exploiting Ivanti Connect Secure and Policy Secure gateway vulnerabilities, tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, have been deployed by five Chinese cyberespionage operations, including Volt Typhoon, and other threat groups in recent months, according to The Record, a news site by cybersecurity firm Recorded Future.
UNC5221 was the lone cyberespionage cluster that commenced Ivanti vulnerability exploitation prior to their disclosure while Volt Typhoon was not successful in achieving compromise in its attacks, a report from Mandiant revealed.
Other China-nexus espionage clusters were noted to have leveraged the flaws to deploy various malware, including PHANTOMNET, SPAWNMOLE, TONERJAM, SPAWNSNAIL, and TERRIBLETEA, while further investigation showed the utilization of four malware families to develop stealthy and persistent backdoors.
"In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as cryptomining," said researchers.