CINXE.COM

<!DOCTYPE html>      <html lang="en-US" class="no-js">  <meta charset="UTF-8"> <title>Ivanti Connect Secure VPN Exploitation Goes Global | Volexity</title> <meta name="HandheldFriendly" content="True"> <meta name="MobileOptimized" content="320"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta http-equiv="cleartype" content="on"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@Volexity"> <meta name="twitter:creator" content="@Volexity"> <meta name="twitter:title" content="Ivanti Connect Secure VPN Exploitation Goes Global"> <meta name="twitter:description" content="Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully detecting the compromises described in this post across impacted organizations. Last week, Ivanti also released an updated version of the external Integrity Checker Tool that can be further used to check and verify systems. On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these […]"> <meta name="twitter:image" content="https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15.png"> <link rel="apple-touch-icon" sizes="180x180" href="https://www.volexity.com/wp-content/themes/volexity/apple-touch-icon.png"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon-32x32.png" sizes="32x32"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon-16x16.png" sizes="16x16"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon.ico"> <link rel="manifest" href="https://www.volexity.com/wp-content/themes/volexity/manifest.json"> <meta name="theme-color" content="#12BEF0"> <meta property="og:image" content="https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15-300x157.png" />  <script async src="https://www.googletagmanager.com/gtag/js?id=G-WRSX85NK29"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-WRSX85NK29'); </script> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />  <meta name="description" content="On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances." /> <link rel="canonical" href="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Ivanti Connect Secure VPN Exploitation Goes Global" /> <meta property="og:description" content="On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances." /> <meta property="og:url" content="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/" /> <meta property="og:site_name" content="Volexity" /> <meta property="article:publisher" content="https://www.facebook.com/volexity/" /> <meta property="article:published_time" content="2024-01-15T23:35:41+00:00" /> <meta property="article:modified_time" content="2024-11-21T16:40:41+00:00" /> <meta property="og:image" content="https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15.png" /> <meta property="og:image:width" content="2060" /> <meta property="og:image:height" content="1076" /> <meta property="og:image:type" content="image/png" /> <meta name="author" content="Steven Adair" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Article","@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/#article","isPartOf":{"@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/"},"author":{"name":"Steven Adair","@id":"https://www.volexity.com/#/schema/person/37facc456a65bd500f8cd6d9991e314c"},"headline":"Ivanti Connect Secure VPN Exploitation Goes Global","datePublished":"2024-01-15T23:35:41+00:00","dateModified":"2024-11-21T16:40:41+00:00","mainEntityOfPage":{"@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/"},"wordCount":1237,"publisher":{"@id":"https://www.volexity.com/#organization"},"image":{"@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/#primaryimage"},"thumbnailUrl":"https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15.png","keywords":["APT","backdoor","China","Exploit","ivanti connect secure","pulsesecure","RCE","VPN","webshell"],"articleSection":["Threat Intelligence"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/","url":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/","name":"Ivanti Connect Secure VPN Exploitation Goes Global | Volexity","isPartOf":{"@id":"https://www.volexity.com/#website"},"primaryImageOfPage":{"@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/#primaryimage"},"image":{"@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/#primaryimage"},"thumbnailUrl":"https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15.png","datePublished":"2024-01-15T23:35:41+00:00","dateModified":"2024-11-21T16:40:41+00:00","description":"On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.","breadcrumb":{"@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/#primaryimage","url":"https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15.png","contentUrl":"https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15.png","width":2060,"height":1076},{"@type":"BreadcrumbList","@id":"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.volexity.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.volexity.com/blog/"},{"@type":"ListItem","position":3,"name":"Ivanti Connect Secure VPN Exploitation Goes Global"}]},{"@type":"WebSite","@id":"https://www.volexity.com/#website","url":"https://www.volexity.com/","name":"Volexity | Memory Forensics, Cybersecurity Threat Intelligence & Incident Response","description":"","publisher":{"@id":"https://www.volexity.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.volexity.com/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://www.volexity.com/#organization","name":"Volexity Inc.","alternateName":"Volexity - Forensic Memory Analysis","url":"https://www.volexity.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/#/schema/logo/image/","url":"https://www.volexity.com/wp-content/uploads/2018/01/Volexity-Logo-Full-Stacked-2019-1000px.jpg","contentUrl":"https://www.volexity.com/wp-content/uploads/2018/01/Volexity-Logo-Full-Stacked-2019-1000px.jpg","width":1000,"height":1000,"caption":"Volexity Inc."},"image":{"@id":"https://www.volexity.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/volexity/","https://x.com/Volexity","https://www.linkedin.com/company/volexity/","https://github.com/volexity","https://infosec.exchange/@volexity"]},{"@type":"Person","@id":"https://www.volexity.com/#/schema/person/37facc456a65bd500f8cd6d9991e314c","name":"Steven Adair","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/bcbec929d10ae62463d2fb8883098ac8?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/bcbec929d10ae62463d2fb8883098ac8?s=96&d=mm&r=g","caption":"Steven Adair"}}]}</script>  <link rel='stylesheet' id='wp-block-library-css' href='https://www.volexity.com/wp-includes/css/dist/block-library/style.min.css?ver=6.7' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='cookie-notice-front-css' href='https://www.volexity.com/wp-content/plugins/cookie-notice/css/front.min.css?ver=2.4.18' type='text/css' media='all' /> <link rel='stylesheet' id='main-style-css' href='https://www.volexity.com/wp-content/themes/volexity/dist/styles/styles.min.css?ver=6.7' type='text/css' media='screen, print' /> <script type="text/javascript" id="cookie-notice-front-js-before"> /* <![CDATA[ */ var cnArgs = {"ajaxUrl":"https:\/\/www.volexity.com\/wp-admin\/admin-ajax.php","nonce":"37bdabc0c7","hideEffect":"fade","position":"bottom","onScroll":false,"onScrollOffset":100,"onClick":false,"cookieName":"cookie_notice_accepted","cookieTime":2592000,"cookieTimeRejected":2592000,"globalCookie":false,"redirection":false,"cache":false,"revokeCookies":false,"revokeCookiesOpt":"automatic"}; /* ]]> */ </script> <script type="text/javascript" src="https://www.volexity.com/wp-content/plugins/cookie-notice/js/front.min.js?ver=2.4.18" id="cookie-notice-front-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <link rel="https://api.w.org/" href="https://www.volexity.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://www.volexity.com/wp-json/wp/v2/posts/3070" /><link rel='shortlink' href='https://www.volexity.com/?p=3070' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://www.volexity.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2024%2F01%2F15%2Fivanti-connect-secure-vpn-exploitation-goes-global%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://www.volexity.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2024%2F01%2F15%2Fivanti-connect-secure-vpn-exploitation-goes-global%2F&format=xml" /> <style type="text/css" id="wp-custom-css"> /* You can add your own CSS here. Click the help icon above to learn more. */ </style>  </head> <body class="post-template-default single single-post postid-3070 single-format-standard cookies-not-set ie ie7 windows"> <header class="header"> <div class="header-top-container"> <div class="container"> <ul id="menu-sub-left" class="header-sub-left"><li id="menu-item-2116" class="icon-triangle menu-item menu-item-type-post_type menu-item-object-page menu-item-2116"><a href="https://www.volexity.com/company/contact/demo-request/" class="icon-triangle">Request A Demo</a></li> </ul> <ul id="menu-sub-right" class="header-sub-right"><li id="menu-item-1213" class="icon-warning menu-item menu-item-type-post_type menu-item-object-page menu-item-1213"><a href="https://www.volexity.com/company/contact/breach-assistance/" class="icon-warning">Breach Assistance</a></li> </ul> </div> </div> <div class="header-container"> <div class="container"> <a class="header-logo" href="https://www.volexity.com"><img src="https://www.volexity.com/wp-content/themes/volexity/dist/images/logo.png" alt="Volexity"></a> <div class="header-menu"> <ul id="menu-main-navigation" class="header-menu-list"><li id="menu-item-376" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-376"><a href="https://www.volexity.com/products-overview/">Products</a> <ul class="sub-menu"> <li id="menu-item-48" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-48"><a href="https://www.volexity.com/products-overview/">Products Overview</a></li> <li id="menu-item-50" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-50"><a href="https://www.volexity.com/products-overview/volcano/">Volcano</a></li> <li id="menu-item-49" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-49"><a href="https://www.volexity.com/products-overview/surge/">Surge</a></li> </ul> </li> <li id="menu-item-377" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-377"><a href="https://www.volexity.com/services-overview/">Services</a> <ul class="sub-menu"> <li id="menu-item-55" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-55"><a href="https://www.volexity.com/services-overview/">Services Overview</a></li> <li id="menu-item-52" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-52"><a href="https://www.volexity.com/services-overview/incident-response/">Incident Response</a></li> <li id="menu-item-53" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-53"><a href="https://www.volexity.com/services-overview/network-security-monitoring/">Network Security Monitoring</a></li> <li id="menu-item-54" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-54"><a href="https://www.volexity.com/services-overview/proactive-threat-assessments/">Proactive Threat Assessments</a></li> <li id="menu-item-56" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-56"><a href="https://www.volexity.com/services-overview/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-2394" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2394"><a href="https://www.volexity.com/services-overview/mergers-acquisitions-cybersecurity-assessments/">M&A Cybersecurity Assessments</a></li> </ul> </li> <li id="menu-item-385" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-385"><a href="https://www.volexity.com/company/about/">Company</a> <ul class="sub-menu"> <li id="menu-item-41" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-41"><a href="https://www.volexity.com/company/about/">About</a></li> <li id="menu-item-43" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-43"><a href="https://www.volexity.com/company/news-press/">News & Press</a></li> <li id="menu-item-1849" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1849"><a href="https://www.volexity.com/company/careers/">Careers</a></li> <li id="menu-item-1824" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1824"><a href="https://www.volexity.com/company/internships/">Internships</a></li> <li id="menu-item-1718" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1718"><a href="https://www.volexity.com/company/resources/">Resources</a></li> </ul> </li> <li id="menu-item-39" class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-39"><a href="https://www.volexity.com/blog/">Blog</a></li> <li id="menu-item-45" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-45"><a href="https://www.volexity.com/company/contact/">Contact</a></li> </ul> </div> <div class="mobile-menu--holder"> <div class="mobile-menu"></div> </div> </div> </div> </header> <div class="int-header s5"> <div class="container"> <section class="int-header-hold col-sm-12"> blog </section> </div> </div> <main class="main"> <div class="container"> <section class="row int"> <article class="col-sm-8"> <div class="post-content composition"> <h2 class="post-title">Ivanti Connect Secure VPN Exploitation Goes Global</h2> <p class="post-date">January 15, 2024</p> <p class="post-byline">by Cem Gurkok, Paul Rascagneres, Sean Koessel, Steven Adair, Tom Lancaster</p> <div class="post-single-social"> <a class="post-single-social-share" data-share-channel="facebook" data-title="Ivanti Connect Secure VPN Exploitation Goes Global" data-description="Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully detecting the compromises described in this post across impacted organizations. Last week, Ivanti also released an updated version of the external Integrity Checker Tool that can be further used to check and verify systems. On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these […]" data-url="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/" data-image="" data-caption="Volexity"><i class="icon icon-facebook-share"></i><span class="sr-only">Facebook</span></a> <a class="post-single-social-share" data-share-channel="twitter" data-text="Ivanti+Connect+Secure+VPN+Exploitation+Goes+Global" data-url="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/" data-hashtags="volexity" data-via="Volexity"><i class="icon icon-twitter-share"></i><span class="sr-only">Twitter</span></a> <a class="post-single-social-share" data-share-channel="email" data-post-id="3070"><i class="icon icon-mail-share"></i><span class="sr-only">Email</span></a> </div> <p><img fetchpriority="high" decoding="async" class="aligncenter size-full wp-image-3094" src="https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15.png" alt="" width="2060" height="1076" srcset="https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15.png 2060w, https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15-300x157.png 300w, https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15-1024x535.png 1024w, https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15-768x401.png 768w, https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15-1536x802.png 1536w, https://www.volexity.com/wp-content/uploads/2024/01/Volexity-Ivanti-Connect-Secure-VPN-Exploitation-Goes-Global-Jan15-2048x1070.png 2048w" sizes="(max-width: 2060px) 100vw, 2060px" /></p> <p><strong><em>Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the <a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US">mitigation</a>, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully detecting the compromises described in this post across impacted organizations. Last week, </em></strong><strong><em>Ivanti also released an updated version of the external <a href="https://forums.ivanti.com/s/article/KB44755?language=en_US">Integrity Checker Tool </a>that can be further used to check and verify systems.<br /> </em></strong></p> <p style="font-weight: 400;">On January 10, 2024, <a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/">Volexity publicly shared</a> details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21887">CVE-2024-21887</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46805">CVE-2023-46805</a>) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti <a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways">published a mitigation</a> that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities.</p> <blockquote><p>Note: It should once again be reiterated that the mitigation does not remedy an active or past compromise. While it is critical that organizations apply this mitigation, it is just as important that they look for signs their ICS VPN appliance has already been compromised and take action if evidence is found.</p></blockquote> <p style="font-weight: 400;">Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.</p> <p style="font-weight: 400;">Simultaneously, Volexity also developed a way to scan devices to look for signs of compromise. As result, Volexity has observed two new major findings related to this ongoing activity:</p> <ul style="font-weight: 400;"> <li>Exploitation of these vulnerabilities is now widespread. Volexity has been able to find evidence of compromise of <strong>over 1,700</strong> <strong>devices</strong> worldwide.</li> <li>Additional threat actors beyond UTA0178 appear to now have access to the exploit and are actively trying to exploit devices.</li> </ul> <h2>Timeline of Findings</h2> <p style="font-weight: 400;">The timeline of findings from earliest observed exploitation to ongoing activity at the time of writing is below:</p> <ul style="font-weight: 400;"> <li><strong>2023-12-03</strong> | Earliest exploitation observed by Volexity.</li> <li><strong>2024-01-10</strong> | Volexity <a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/">reports</a> details of observed exploitation of <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21887">CVE-2024-21887</a> & <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46805">CVE-2023-46805</a>.</li> <li><strong>2024-01-11</strong> | Volexity discovers evidence that UTA0178 attempts mass exploitation.</li> <li><strong>2024-01-11</strong> | Mandiant <a href="https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day">reports</a> on their own observations.</li> <li><strong>2024-01-15</strong> | Volexity discloses evidence of mass exploitation and the suspected compromise of at least 1,700 ICS devices.</li> </ul> <p style="font-weight: 400;">Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals, including the following:</p> <ul style="font-weight: 400;"> <li>Global government and military departments</li> <li>National telecommunications companies</li> <li>Defense contractors</li> <li>Technology</li> <li>Banking, Finance, and Accounting</li> <li>Worldwide consulting</li> <li>Aerospace, Aviation, and Engineering</li> </ul> <h2>Widespread Exploitation</h2> <p style="font-weight: 400;">As <a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/">described on January 10, 2024</a>, Volexity had conducted scans using a method that only uncovered a single victim organization. Based on those findings, Volexity’s customer visibility, and input from Ivanti, it had been concluded that exploitation of the vulnerability chain had been limited to just a few organizations.</p> <p style="font-weight: 400;">However, on January 11, 2024, Volexity began to detect evidence of widespread scanning by someone apparently familiar with the vulnerabilities. Volexity observed various file paths, that are not publicly known, being requested via logs from its customer ICS VPN appliances. It was not clear if this was the work of attackers or security researchers. However, on the same day, Volexity also received reports from multiple organizations that they had received reports of mismatched files from their ICS VPN logs. Further, some of these organizations shared past results from the built-in integrity scan that did not show signs of mismatched files until January 11, 2024. Volexity was simultaneously engaged to investigate similar activity with other customers and found multiple devices had similarly been compromised starting on January 11, 2024.</p> <p style="font-weight: 400;">Investigations of newly found compromised devices showed they had been backdoored with a slightly different variant of the GIFTEDVISITOR webshell documented in the “visits.py modification - GIFTEDVISITOR” section of Volexity’s <a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/">recent blog post</a>. The attacker used an identical webshell to that observed in the first incident investigated by Volexity, but they replaced the AES key used with a truncated UUID string. This AES key format differed from the one initially discovered, which simply had the value <code>1234567812345678</code>. Volexity’s analysis of multiple devices shows that a unique AES key has likely been employed on each victim system as part of the widespread compromise.</p> <p style="font-weight: 400;">Volexity was able to develop a new method of scanning for evidence that GIFTEDVISITOR was present on ICS VPN appliances. Volexity then scanned roughly 30,000 ICS IP addresses. On Sunday, January 14, 2024, Volexity had identified over 1,700 ICS VPN appliances that were compromised with the GIFTEDVISITOR webshell. These appliances appear to have been indiscriminately targeted, with victims all over the world. A summary of the infected appliances’ geography can be seen below.</p> <p><img decoding="async" class="aligncenter size-full wp-image-3077" src="https://www.volexity.com/wp-content/uploads/2024/01/image002.png" alt="Geographic distribution of infected ICS VPN appliances" width="1832" height="1190" srcset="https://www.volexity.com/wp-content/uploads/2024/01/image002.png 1832w, https://www.volexity.com/wp-content/uploads/2024/01/image002-300x195.png 300w, https://www.volexity.com/wp-content/uploads/2024/01/image002-1024x665.png 1024w, https://www.volexity.com/wp-content/uploads/2024/01/image002-768x499.png 768w, https://www.volexity.com/wp-content/uploads/2024/01/image002-1536x998.png 1536w" sizes="(max-width: 1832px) 100vw, 1832px" /></p> <p style="font-weight: 400;">Volexity assesses with medium confidence that this widespread exploitation was undertaken by UTA0178. This assessment is based on the use of an identical webshell to that used in the previous exploitation, and the speed at which it was undertaken following publication of details relating to the exploit. Widespread exploitation began taking place January 11, 2024 and continues.</p> <h2>Evidence of Exploit Proliferation</h2> <p style="font-weight: 400;">In addition to the discovery of widespread exploitation undertaken by UTA0178, analysis of logs from various ICS VPN appliances showed likely attempted exploitation by other threat actors, with noticeably poorer operational security than UTA0178. While devices without the mitigation did not correctly log exploit-related requests, those with the mitigation correctly log attempted exploitation. Based on analysis of these logs, nearly two dozen IP addresses attempted exploitation using the correct URI pattern or similar URI patterns required for exploitation, with no documentation of this URI pattern in the public domain. These IP addresses appear to be a mix of private VPS instances and compromised network appliances (although no Cyberoam devices have been observed).</p> <p style="font-weight: 400;">Volexity has also observed suspected exploitation attempt from another threat actor that it tracks as UTA0188. This threat actor was observed in the logs of an ICS VPN that was patched. Additional details related to this threat actor, their infrastructure, and other observed targeting were provided to Volexity Threat Intelligence customers in TIB-20240115.</p> <h2>Conclusion</h2> <p style="font-weight: 400;">Volexity has identified widespread exploitation of chained vulnerabilities <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21887">CVE-2024-21887</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46805">CVE-2023-46805</a>. This exploitation has affected thousands of machines and may have infected many more. Volexity’s scan methodology would not have worked against organizations that have already deployed the <a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways">Ivanti mitigation</a> or had otherwise been taken offline. As a result, Volexity suspects there may likely be a higher number of compromised organizations than identified through scanning (which totaled more than 1,700). There was likely a period in which UTA0178 could have actioned these compromises before the mitigation was applied.</p> <p style="font-weight: 400;">Furthermore, Volexity has identified that additional attackers beyond UTA0178 appear to have access to the exploit. Volexity recommends that organizations running ICS VPN perform the following:</p> <ul style="font-weight: 400;"> <li><a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US">Apply the mitigation</a> provided by Ivanti.</li> <li>Run the <a href="https://forums.ivanti.com/s/article/KB44755?language=en_US">Integrity Checker Tool</a> provided by Ivanti.</li> <li>In the event of a hit for the Integrity Checker Tool, follow the steps in the “Responding to Compromise” section of <a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/">Volexity’s previous blog post</a>.</li> </ul> <blockquote> <p style="font-weight: 400;">Where Volexity has a known contact, national CERTs have been contacted in order to notify them of victims in their constituency. If you are a national CERT, and you have not received a message from Volexity but would like a list of affected IP addresses in your country, please contact <a href="/cdn-cgi/l/email-protection#3a4e52485f5b4e53544e5f567a4c55565f42534e4314595557"><span class="__cf_email__" data-cfemail="6b1f03190e0a1f02051f0e072b1d04070e13021f1245080406">[email protected]</span></a>.</p> </blockquote> <div class="post-tags"> <a href="https://www.volexity.com/blog/tag/apt/">APT</a>, <a href="https://www.volexity.com/blog/tag/backdoor/">backdoor</a>, <a href="https://www.volexity.com/blog/tag/china/">China</a>, <a href="https://www.volexity.com/blog/tag/exploit/">Exploit</a>, <a href="https://www.volexity.com/blog/tag/ivanti-connect-secure/">ivanti connect secure</a>, <a href="https://www.volexity.com/blog/tag/pulsesecure/">pulsesecure</a>, <a href="https://www.volexity.com/blog/tag/rce/">RCE</a>, <a href="https://www.volexity.com/blog/tag/vpn/">VPN</a>, <a href="https://www.volexity.com/blog/tag/webshell/">webshell</a> </div> </div> </article> <aside class="sidebar col-sm-4"> <ul class="widgets"> <li class="widget widget_search"><div class="widget-content"><form role="search" method="get" class="search-form" action="https://www.volexity.com/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="SEARCH" value="" name="s" title="Search for:" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></div></li> <li class="widget widget_recent_entries"><div class="widget-content"> <h4 class="widget-title">Recent Posts</h4> <ul> <li> <a href="https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/">Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication</a> </li> <li> <a href="https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/">The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access</a> </li> <li> <a href="https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/">BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA</a> </li> <li> <a href="https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/">StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms</a> </li> <li> <a href="https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/">DISGOMOJI Malware Used to Target Indian Government</a> </li> </ul> </div></li><li class="widget widget_archive"><div class="widget-content"><h4 class="widget-title">Archives</h4> <ul> <li><a href='https://www.volexity.com/blog/2025/02/'>February 2025</a></li> <li><a href='https://www.volexity.com/blog/2024/11/'>November 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/08/'>August 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/06/'>June 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/05/'>May 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/04/'>April 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/02/'>February 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/01/'>January 2024</a></li> <li><a href='https://www.volexity.com/blog/2023/09/'>September 2023</a></li> <li><a href='https://www.volexity.com/blog/2023/06/'>June 2023</a></li> <li><a href='https://www.volexity.com/blog/2023/03/'>March 2023</a></li> <li><a href='https://www.volexity.com/blog/2022/12/'>December 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/08/'>August 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/07/'>July 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/06/'>June 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/03/'>March 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/02/'>February 2022</a></li> <li><a href='https://www.volexity.com/blog/2021/12/'>December 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/08/'>August 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/05/'>May 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/03/'>March 2021</a></li> <li><a href='https://www.volexity.com/blog/2020/12/'>December 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/11/'>November 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/04/'>April 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/03/'>March 2020</a></li> <li><a href='https://www.volexity.com/blog/2019/09/'>September 2019</a></li> <li><a href='https://www.volexity.com/blog/2018/11/'>November 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/09/'>September 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/08/'>August 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/07/'>July 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/06/'>June 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/04/'>April 2018</a></li> <li><a href='https://www.volexity.com/blog/2017/11/'>November 2017</a></li> <li><a href='https://www.volexity.com/blog/2017/07/'>July 2017</a></li> <li><a href='https://www.volexity.com/blog/2017/03/'>March 2017</a></li> <li><a href='https://www.volexity.com/blog/2016/11/'>November 2016</a></li> <li><a href='https://www.volexity.com/blog/2015/10/'>October 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/07/'>July 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/06/'>June 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/04/'>April 2015</a></li> <li><a href='https://www.volexity.com/blog/2014/10/'>October 2014</a></li> <li><a href='https://www.volexity.com/blog/2014/09/'>September 2014</a></li> </ul> </div></li><li class="widget widget_categorizedtagcloudwidget"><div class="widget-content"><h4 class="widget-title">Tags</h4> <div id="categorized-tag-cloud"><span id="categorized-tag-cloud-el-1"><a href="https://www.volexity.com/blog/tag/malware/" class="tag-cloud-link tag-link-106 tag-link-position-1" style="font-size: 11.8pt;" aria-label="malware (5 items)">malware</a></span> <span id="categorized-tag-cloud-el-2"><a href="https://www.volexity.com/blog/tag/threat-intelligence/" class="tag-cloud-link tag-link-93 tag-link-position-2" style="font-size: 12.5pt;" aria-label="Threat Intelligence (6 items)">Threat Intelligence</a></span> <span id="categorized-tag-cloud-el-3"><a href="https://www.volexity.com/blog/tag/ivanti-connect-secure/" class="tag-cloud-link tag-link-173 tag-link-position-3" style="font-size: 11pt;" aria-label="ivanti connect secure (4 items)">ivanti connect secure</a></span> <span id="categorized-tag-cloud-el-4"><a href="https://www.volexity.com/blog/tag/scanning/" class="tag-cloud-link tag-link-31 tag-link-position-4" style="font-size: 11pt;" aria-label="Scanning (4 items)">Scanning</a></span> <span id="categorized-tag-cloud-el-5"><a href="https://www.volexity.com/blog/tag/0day/" class="tag-cloud-link tag-link-131 tag-link-position-5" style="font-size: 11.8pt;" aria-label="0day (5 items)">0day</a></span> <span id="categorized-tag-cloud-el-6"><a href="https://www.volexity.com/blog/tag/edge-device/" class="tag-cloud-link tag-link-215 tag-link-position-6" style="font-size: 11.8pt;" aria-label="edge device (5 items)">edge device</a></span> <span id="categorized-tag-cloud-el-7"><a href="https://www.volexity.com/blog/tag/rce/" class="tag-cloud-link tag-link-174 tag-link-position-7" style="font-size: 12.5pt;" aria-label="RCE (6 items)">RCE</a></span> <span id="categorized-tag-cloud-el-8"><a href="https://www.volexity.com/blog/tag/vulnerabilities/" class="tag-cloud-link tag-link-34 tag-link-position-8" style="font-size: 11pt;" aria-label="vulnerabilities (4 items)">vulnerabilities</a></span> <span id="categorized-tag-cloud-el-9"><a href="https://www.volexity.com/blog/tag/apt/" class="tag-cloud-link tag-link-35 tag-link-position-9" style="font-size: 20pt;" aria-label="APT (39 items)">APT</a></span> <span id="categorized-tag-cloud-el-10"><a href="https://www.volexity.com/blog/tag/spear-phishing/" class="tag-cloud-link tag-link-45 tag-link-position-10" style="font-size: 11pt;" aria-label="spear phishing (4 items)">spear phishing</a></span> <span id="categorized-tag-cloud-el-11"><a href="https://www.volexity.com/blog/tag/china/" class="tag-cloud-link tag-link-42 tag-link-position-11" style="font-size: 14.4pt;" aria-label="China (10 items)">China</a></span> <span id="categorized-tag-cloud-el-12"><a href="https://www.volexity.com/blog/tag/phishing/" class="tag-cloud-link tag-link-107 tag-link-position-12" style="font-size: 11pt;" aria-label="phishing (4 items)">phishing</a></span> <span id="categorized-tag-cloud-el-13"><a href="https://www.volexity.com/blog/tag/webshell/" class="tag-cloud-link tag-link-84 tag-link-position-13" style="font-size: 11.8pt;" aria-label="webshell (5 items)">webshell</a></span> <span id="categorized-tag-cloud-el-14"><a href="https://www.volexity.com/blog/tag/exploits/" class="tag-cloud-link tag-link-33 tag-link-position-14" style="font-size: 15.1pt;" aria-label="exploits (12 items)">exploits</a></span> <span id="categorized-tag-cloud-el-15"><a href="https://www.volexity.com/blog/tag/vpn/" class="tag-cloud-link tag-link-24 tag-link-position-15" style="font-size: 11.8pt;" aria-label="VPN (5 items)">VPN</a></span> <span id="categorized-tag-cloud-el-16"><a href="https://www.volexity.com/blog/tag/exploit/" class="tag-cloud-link tag-link-87 tag-link-position-16" style="font-size: 15.5pt;" aria-label="Exploit (13 items)">Exploit</a></span> <span id="categorized-tag-cloud-el-17"><a href="https://www.volexity.com/blog/tag/north-korea/" class="tag-cloud-link tag-link-117 tag-link-position-17" style="font-size: 11.8pt;" aria-label="North Korea (5 items)">North Korea</a></span> <span id="categorized-tag-cloud-el-18"><a href="https://www.volexity.com/blog/tag/pulsesecure/" class="tag-cloud-link tag-link-172 tag-link-position-18" style="font-size: 11pt;" aria-label="pulsesecure (4 items)">pulsesecure</a></span> <span id="categorized-tag-cloud-el-19"><a href="https://www.volexity.com/blog/tag/backdoor/" class="tag-cloud-link tag-link-180 tag-link-position-19" style="font-size: 10pt;" aria-label="backdoor (3 items)">backdoor</a></span> <span id="categorized-tag-cloud-el-20"><a href="https://www.volexity.com/blog/tag/memory-forensics/" class="tag-cloud-link tag-link-65 tag-link-position-20" style="font-size: 11.8pt;" aria-label="memory forensics (5 items)">memory forensics</a></span> </div> <style> #categorized-tag-cloud a, #categorized-tag-cloud a:visited { text-decoration:none; } #categorized-tag-cloud a:hover { text-decoration:none; color:#3b97d3; } #categorized-tag-cloud-el-1 a, #categorized-tag-cloud-el-1 a:visited { color:#555555; } #categorized-tag-cloud-el-2 a, #categorized-tag-cloud-el-2 a:visited { color:#555555; } #categorized-tag-cloud-el-3 a, #categorized-tag-cloud-el-3 a:visited { color:#555555; } #categorized-tag-cloud-el-4 a, #categorized-tag-cloud-el-4 a:visited { color:#555555; } #categorized-tag-cloud-el-5 a, #categorized-tag-cloud-el-5 a:visited { color:#555555; } #categorized-tag-cloud-el-6 a, #categorized-tag-cloud-el-6 a:visited { color:#555555; } #categorized-tag-cloud-el-7 a, #categorized-tag-cloud-el-7 a:visited { color:#555555; } #categorized-tag-cloud-el-8 a, #categorized-tag-cloud-el-8 a:visited { color:#555555; } #categorized-tag-cloud-el-9 a, #categorized-tag-cloud-el-9 a:visited { color:#555555; } #categorized-tag-cloud-el-10 a, #categorized-tag-cloud-el-10 a:visited { color:#555555; } #categorized-tag-cloud-el-11 a, #categorized-tag-cloud-el-11 a:visited { color:#555555; } #categorized-tag-cloud-el-12 a, #categorized-tag-cloud-el-12 a:visited { color:#555555; } #categorized-tag-cloud-el-13 a, #categorized-tag-cloud-el-13 a:visited { color:#555555; } #categorized-tag-cloud-el-14 a, #categorized-tag-cloud-el-14 a:visited { color:#555555; } #categorized-tag-cloud-el-15 a, #categorized-tag-cloud-el-15 a:visited { color:#555555; } #categorized-tag-cloud-el-16 a, #categorized-tag-cloud-el-16 a:visited { color:#555555; } #categorized-tag-cloud-el-17 a, #categorized-tag-cloud-el-17 a:visited { color:#555555; } #categorized-tag-cloud-el-18 a, #categorized-tag-cloud-el-18 a:visited { color:#555555; } #categorized-tag-cloud-el-19 a, #categorized-tag-cloud-el-19 a:visited { color:#555555; } #categorized-tag-cloud-el-20 a, #categorized-tag-cloud-el-20 a:visited { color:#555555; } </style></div></li> </ul> </aside> </section> </div> </main> <footer class="footer"> <div class="footer-container container"> <div class="footer-col-first col-md-3 no-padding"> <a class="footer-logo" href="https://www.volexity.com"><img src="https://www.volexity.com/wp-content/themes/volexity/dist/images/logo.png" alt="Volexity"></a> <address class="footer-copyright">© 2025 Volexity. All Rights Reserved.</address> </div> <ul id="menu-footer-menu" class="footer-menu-list col-md-4 col-xs-12"><li id="menu-item-57" class="nav-header menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-57"><a href="/company/about/">About</a> <ul class="sub-menu"> <li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.volexity.com/company/about/">About Us</a></li> <li id="menu-item-58" class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-58"><a href="https://www.volexity.com/blog/">Blog</a></li> <li id="menu-item-395" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-395"><a href="https://www.volexity.com/privacy-policy/">Privacy Policy</a></li> </ul> </li> <li id="menu-item-60" class="nav-header menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-60"><a href="/solutions/">Solutions</a> <ul class="sub-menu"> <li id="menu-item-400" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-400"><a href="https://www.volexity.com/company/contact/">Request A Demo</a></li> <li id="menu-item-61" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-61"><a href="https://www.volexity.com/products-overview/">Products</a></li> <li id="menu-item-669" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-669"><a href="https://www.volexity.com/services-overview/">Services</a></li> </ul> </li> </ul> <div class="footer-address col-md-3 col-xs-12"> <p class="footer-header">Contact</p> <ul> <li class="footer-address--address icon-location-marker"> 11654 Plaza America Dr #774<br /> Reston, VA 20190-4700 </li> <li class="footer-address--phone icon-phone-mobile">1-888-825-1975</li> </ul> </div> <div class="footer-social col-md-2 no-padding"> <p class="footer-header">Connect</p> <ul> <li class="footer-social-holder"><a href="https://www.facebook.com/volexity" target="_blank" class="icon-facebook footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://twitter.com/volexity" target="_blank" class="icon-twitter footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://www.linkedin.com/company/volexity" target="_blank" class="icon-linkedin footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://infosec.exchange/@volexity" target="_blank" class="fa-mastodon footer-social--link"></a></li> </ul> </div> </div> <div id="back-to-top" class="icon-slide-left"></div> <script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script type="text/javascript" id="main-js-extra"> /* <![CDATA[ */ var urls = {"base":"https:\/\/www.volexity.com","theme":"https:\/\/www.volexity.com\/wp-content\/themes\/volexity","ajax":"https:\/\/www.volexity.com\/wp-admin\/admin-ajax.php"}; var info = []; /* ]]> */ </script> <script type="text/javascript" src="https://www.volexity.com/wp-content/themes/volexity/dist/scripts/scripts.min.js?ver=6.7" id="main-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/comment-reply.min.js?ver=6.7" id="comment-reply-js" async="async" data-wp-strategy="async"></script>  <div id="cookie-notice" role="dialog" class="cookie-notice-hidden cookie-revoke-hidden cn-position-bottom" aria-label="Cookie Notice" style="background-color: rgba(0,0,0,1);"><div class="cookie-notice-container" style="color: #fff"><span id="cn-notice-text" class="cn-text-container">This Website uses cookies, which are necessary to its functioning and required to achieve the purposes illustrated in our <a href="/privacy-policy/#cookies">Cookie Policy</a>. By clicking the button, you consent to our use of cookies.</span><span id="cn-notice-buttons" class="cn-buttons-container"><a href="#" id="cn-accept-cookie" data-cookie-set="accept" class="cn-set-cookie cn-button cn-button-custom box-cta" aria-label="Agree & Close">Agree & Close</a></span><span id="cn-close-notice" data-cookie-set="accept" class="cn-close-icon" title="No"></span></div> </div> </footer></body> </html>