Other
Volexity / CISA AA24-060B / Google Cloud / Akamai
Primary Source βIncident Details
Chinese nexus APT UNC5221 exploited chained zero-days in Ivanti Connect Secure VPN gateways starting Dec 2023, publicly disclosed Jan 10 2024 by Volexity. CVE-2023-46805 (auth bypass) + CVE-2024-21887 (command injection) allowed unauthenticated RCE. CISA itself was compromised via connected Ivanti products. Thousands of devices globally affected. Multiple custom malware families deployed. Ivanti’s initial integrity checker tool had a bypass. Patches took weeks to issue. State and local government agencies, defense contractors heavily targeted.
Technical Details
- Initial Attack Vector
- CWE-305: Authentication Bypass by Primary Weakness chained with CWE-77: Command Injection
- Vendor / Product
- Ivanti Connect Secure / Policy Secure
- Malware Family
- ZIPLINE backdoor / LIGHTWIRE webshell / WARPWIRE credential harvester / THINSPOOL dropper
- CVE / GHSA References
- CVE-2023-46805 CVE-2024-21887 CVE-2024-21893
Timeline
- 2023-12-01 Breach occurred
- 2024-01-10 Publicly disclosed
- 2024-01-11 Customers notified