alt=3D render of a stylized black and red checkers board with abstract pieces.
Cyber security
2025-02-11 Post a Comment

Huge cyber attack under way – 2.8 million IPs being used to target VPN devices

By 

 

  • Millions of devices, likely infected with malware, are being used in a hacking campaign
  • Researchers spotted brute-force attacks against VPN and other internet-connected devices
  • The majority of the IP addresses are located in Brazil

A wide range of Virtual Private Network (VPN) and other networking devices are currently under attack by threat actors trying to break in to wider networks, experts have warned.

Threat monitoring platform The Shadowserver Foundation warned about the ongoing attack on X, noting someone is currently using roughly 2.8 million different IP addresses to try and guess the passwords for VPNs and similar devices built by Palo Alto Networks, Ivanti, SonicWall, and others.

Besides VPNs, the threat actors are going for gateways, security appliances, and other edge devices connected to the public internet.

Brute force

To conduct the attack, the threat actors are using MikroTik, Huawei, Cisco, Boa, and ZTE routers and other internet-connected devices, likely compromised with malware, or broken into themselves, thanks to weak passwords.

Speaking to BleepingComputer, The Shadowserver Foundation said that the attack recently increased in intensity.

From those 2.8 million, the majority (1.1 million) are located in Brazil, with the rest split between Turkey, Russia, Argentina, Morocco, and Mexico.

This is a typical brute-force attack, in which threat actors try to log into a device by submitting an enormous amount of username/password combinations, until one succeeds. Brute-force attacks are usually successful against devices protected with poor passwords (those that don’t have a strong combination of uppercase and lowercase letters, numbers, and special symbols). The whole process is automated, making it possible on a grander scale.

The automation part is made possible through malware. Usually, the devices used in the attack are part of a botnet, or a residential proxy service. Residential proxies are IP addresses assigned to real devices by internet service providers (ISPs). They make it appear as though the user is browsing from a legitimate residential location rather than a data center, which makes them a major target for cybercriminals.

read more
alt=Abstract red digital background with white "ivanti" logo in the center.
Cyber security
2025-01-10 Post a Comment

Ivanti warns of new Connect Secure flaw used in zero-day attacks

By

Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances.

The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers’ appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day.

CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a unauthenticated attacker to remotely execute code on devices.

While the flaw impacts all three products, Ivanti says they have only seen it exploited on Ivanti Connect Secure appliances.

“We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure,” reads an Ivanti blog post.

“We are not aware of these CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways.”

Ivanti has rushed out security patches for Ivanti Connect Secure, which are resolved in firmware version 22.7R2.5.

However, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will not be ready until January 21, according to a security bulletin published today.

Ivanti Policy Secure: This solution is not intended to be internet facing, which makes the risk of exploitation significantly lower. The fix for Ivanti Policy Secure is planned for release on January 21, 2025, and will be available in the standard download portal. Customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet. We are not aware of these CVEs being exploited in Ivanti Policy Secure.

Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. The fix is planned for release on January 21, 2025. We are not aware of these CVEs being exploited in ZTA Gateways.

The company recommends all Ivanti Connect Secure admins perform internal and external ICT scans.

If the scans come up clean, Ivanti still recommends admins perform a factory reset before upgrading to Ivanti Connect Secure 22.7R2.5.

However, if the scans show signs of a compromise, Ivanti says a factory reset should remove any installed malware. The appliance should then be put back into production using version 22.7R2.5

Today’s security updates also fix a second vulnerability tracked as CVE-2025-0283, which Ivanti says is not currently being exploited or chained with CVE-2025-0282. This flaw allows an authenticated local attacker to escalate their privileges.

As Ivanti is working with Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks, we will likely see reports about the detected malware shortly.

BleepingComputer contacted Ivanti with further questions about the attacks and will update this story if we receive a response.

In October, Ivanti released security updates to fix three Cloud Services Appliance (CSA) zero-days that were actively exploited in attacks.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights