{ "id": "660b43db-c711-4a18-bddc-38951e61128b", "created_at": "2026-04-06T00:09:08.187456Z", "updated_at": "2026-04-10T03:24:34.010231Z", "deleted_at": null, "sha1_hash": "1c2381b26599d168b347a43a3daa5ed7444a2973", "title": "Ivanti Connect Secure VPN Exploitation: New Observations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 721336, "plain_text": "Ivanti Connect Secure VPN Exploitation: New Observations\r\nBy mindgrub\r\nPublished: 2024-01-18 · Archived: 2026-04-02 10:56:27 UTC\r\nOn January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities\r\nCVE-2024-21887 and CVE-2023-46805. In that blog post, Volexity detailed broader scanning and exploitation by\r\nthreat actors using still non-public exploits to compromise numerous devices. The following day, January 16, 2024,\r\nproof-of-concept code for the exploit was made public. Subsequently, Volexity has observed an increase in attacks\r\nfrom various threat actors against Ivanti Connect Secure VPN appliances beginning the same day.\r\nAdditionally, Volexity has continued its investigation into activity conducted by UTA0178 and made a few notable\r\ndiscoveries. The first relates to the GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial\r\ndiscovery of over 1,700 compromised Ivanti Connect Secure VPN devices. On January 16, 2024, Volexity\r\nconducted a new scan for this backdoor and found an additional 368 compromised Ivanti Connect Secure VPN\r\nappliances, bringing the total count of systems infected by GIFTEDVISITOR to over 2,100.\r\nThe second discovery came from further analysis of an Ivanti Connect Secure VPN appliance compromised in\r\nDecember 2023. Volexity found that UTA0178 had made modifications to the in-built Integrity Checker Tool.\r\nThese modifications would result in the in-built Integrity Checker Tool always reporting that there were no new or\r\nmismatched files regardless of how many were identified. Administrative review of system logs would show no\r\nissues of concern.\r\nVolexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh\r\nIvanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may\r\nhttps://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/\r\nPage 1 of 4\n\npartially account for why there has been an increase in compromised systems in subsequent scans. This issue, and\r\nmore on the findings referenced above, are detailed in the sections that follow.\r\nWidespread Criminal Exploitation\r\nOn January 16, 2023, Volexity began observing broad exploitation against Ivanti Connect Secure VPN appliances\r\nfrom criminal threat actors. Volexity believes these attackers likely obtained the exploits needed to compromise\r\nIvanti Connect Secure VPN appliances through public proof-of-concept code. Volexity observed that following\r\nexploitation, vulnerable Ivanti Connect Secure VPN appliances would download malicious code from a variety of\r\ndifferent attacker-controlled URLs.\r\nIn at least one instance, Volexity observed an attacker deploying XMRig cryptocurrency miners. They did this by\r\ndownloading and executing payloads from the following URLs:\r\nhxxp://192.252.183[.] 116:8089/u/123/100123/202401/d9a10f4568b649acae7bc2fe51fb5a98.sh\r\nhxxp://192.252.183[.]116:8089/u/123/100123/202401/31a5f4ceae1e45e1a3cd30f5d7604d89.json\r\nhxxp://192.252.183[.] 116:8089/u/123/100123/202401/sshd\r\nThis would result in an XMRig cryptocurrency miner being deployed that will use the mining pool\r\nauto.c3pool[.]org:19999. The mined currency would be credited to the following two wallets:\r\n45yeuMC5LauAg18s7JPvpwNmPqDUrgZnhYwpQnbpo5PJKttK4GrjqS2jN1bemwMjrTc7QG414P6XgNZQGbhpwsnrKUsKSt5\r\n43uAMN5SYT45ZQqeNS6jkW5ssKjm7N4bmLT5uL49bvxGJnsPywn2zPhQA8nHc9XTGXavrstGj3pFy4geh3dV2x9uM8TfwzJ\r\nIn addition to the cryptocurrency miner, Volexity has also observed multiple URLs being used to download a Rust-based payload. Analysis of this malware is still underway, but the URLs observed for downloads are as follows:\r\nhxxp://abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/kaffMm40RNtkg\r\nhxxp://archivevalley-media.s3.amazonaws[.]com/bbU5Yn3yayTtV\r\nhxxp://blooming.s3.amazonaws[.]com/Ea7fbW98CyM5O\r\nhxxp://shapefiles.fews.net.s3.amazonaws[.]com/g6cYGAxHt4JC1\r\nAdditional details on each of the observed files can be found here.\r\nRecent UTA0178 Activity and Updates\r\nOn January 16, 2024, Volexity conducted a new scan to identify systems with the GIFTEDVISITOR webshell. The\r\nscans yielded an additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the count of\r\nsystems with the webshell to over 2,100. Volexity’s investigations also determined that in multiple breaches,\r\nattackers have been stealing configuration data, web logs, and database files associated with accounts, session data,\r\nand more from Ivanti Connect Secure VPN appliances. These files were then placed in various Internet-accessible\r\nfolders to be downloaded remotely. Volexity believes this is likely associated with UTA0178 and it may be partially\r\nautomated.\r\nIn addition to finding newly compromised systems, Volexity also identified additional tradecraft employed by\r\nUTA0178 on compromised Ivanti Connect Secure VPN appliances. Further analysis of an Ivanti Connect Secure\r\nhttps://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/\r\nPage 2 of 4\n\nVPN appliance that was compromised in December 2023 led to Volexity finding a modification to\r\n/home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg .\r\nThis EGG file, which is a ZIP archive, appears to be associated with the system’s built-in Integrity Checker Tool.\r\nWithin the archive, UTA0178 appears to have made a modification to scanner/scripts/scanner.py . Analysis of\r\nthis file uncovered evidence that it had been modified so the system’s built-in Integrity Checker Tool would always\r\nindicate no findings, even if new or mismatched files were actually detected. The following snippet of Python code\r\nin scanner.py shows what was added to the file to accomplish this:\r\nThe highlighted content is not part of the legitimate scanner.py file. This code will ensure the total file count will\r\ninclude any new or mismatched files, and that the new and mismatched file count displayed in logs is always set to\r\nzero. This appears to be an interesting attempt by UTA0178 to evade detection by organizations actively looking to\r\nfind evidence of compromise on their Ivanti Connect Secure VPN appliances.\r\nProper Order for Applying Mitigations When Restoring Ivanti Connect Secure\r\nVPN Appliance Configs\r\nVolexity has also become aware of multiple cases where organizations running a freshly deployed Ivanti Connect\r\nSecure VPN appliance had applied the mitigation but were then re-compromised. It turns out these organizations\r\nhad first applied the mitigation to protect the Ivanti Connect Secure VPN appliance, and then imported previous\r\nbackup configuration files. In doing so, it appears the backup configuration negates or otherwise removes the\r\nmitigation that was put in place.\r\nOrganizations must apply the mitigation after importing any backup configurations in order to prevent potential re-compromise of a device that was thought to be mitigated.\r\nConclusion\r\nActivity related to UTA0178 suggests this threat actor continues to compromise Ivanti Connect Secure VPN\r\nappliances with the GIFTEDVISITOR webshell and exfiltrate various data in a likely automated fashion. Newly\r\nidentified information also suggests that UTA0178 has attempted to find ways to circumvent the built-in Integrity\r\nChecker Tool. This increases the importance of organizations proactively running the external Integrity Checker\r\nTool to further examine systems not showing signs of compromise.\r\nWidespread exploitation of Ivanti Connect Secure VPN appliances by criminal actors is now adding additional\r\nmalware and threat activity into the mix for organizations that have not applied the mitigation. Volexity suspects it\r\nis likely additional threat actors, potentially those tied to extortion and ransomware, will take advantage of\r\nvulnerable systems.\r\nhttps://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/\r\nPage 3 of 4\n\nIt is critically important that organizations running Ivanti Connect Secure VPN appliance ensure the following:\r\nThe mitigation is applied in the proper order, applying it after importing any backup configurations.\r\nThe external Integrity Checker Tool results do not show signs of compromise.\r\nOnce a patch becomes available, it is applied as soon as possible.\r\nRelated indicators can also be downloaded from the Volexity GitHub page:\r\nSingle value indicators\r\nWhere Volexity has a known contact, national CERTs have been contacted in order to notify them of\r\nvictims in their constituency. If you are a national CERT, and you have not received a message from\r\nVolexity but would like a list of affected IP addresses in your country, please contact\r\nthreatintel@volexity.com.\r\nSource: https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/\r\nhttps://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/" ], "report_names": [ "ivanti-connect-secure-vpn-exploitation-new-observations" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434148, "ts_updated_at": 1775791474, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c2381b26599d168b347a43a3daa5ed7444a2973.pdf", "text": "https://archive.orkl.eu/1c2381b26599d168b347a43a3daa5ed7444a2973.txt", "img": "https://archive.orkl.eu/1c2381b26599d168b347a43a3daa5ed7444a2973.jpg" } }