The U.S. National Security Agency (NSA) has verified that hackers exploiting vulnerabilities in Ivanti’s extensively utilized enterprise VPN appliance have directed attacks towards organizations within the U.S. defense sector.

 

NSA representative Edward Bennett confirmed via email to TechCrunch on Friday that the intelligence agency, in collaboration with its interagency partners, is actively monitoring and acknowledging the broad repercussions stemming from the recent exploitation of Ivanti products, including within the U.S. defense sector.

 

"The NSA's Cybersecurity Collaboration Center is persistently collaborating with our partners to identify and mitigate this activity," the spokesperson elaborated.

 

The confirmation of NSA surveillance on these cyberattacks surfaced shortly after Mandiant revealed that suspected Chinese espionage hackers have conducted "massive attempts" to exploit numerous vulnerabilities affecting Ivanti Connect Secure, a popular remote access VPN software widely employed by countless corporations and large entities across the globe.

 

Earlier this week, Mandiant disclosed that the China-affiliated hackers, identified as UNC5325, had targeted a spectrum of industries, including the U.S. defense industrial base sector, which encompasses a global network of private sector entities supplying equipment and services to the U.S. military. These findings were sourced from earlier reports by security firm Volexity.

 

In its analysis, Mandiant underscored UNC5325's extensive familiarity with the Ivanti Connect Secure appliance, along with their utilization of living-off-the-land techniques to enhance evasion of detection. Additionally, the hackers have deployed innovative malware to maintain presence within Ivanti devices, even post factory resets, system upgrades, and patches.

 

This assessment was echoed in an advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday, cautioning that threat actors exploiting vulnerable Ivanti VPN appliances could retain root-level persistence even after executing factory resets. According to CISA's independent tests, attackers can effectively deceive Ivanti's Integrity Checker Tool, potentially resulting in a failure to identify compromise.

 

Responding to CISA's revelations, Ivanti's Chief Information Security Officer, Mike Riemer, downplayed the agency's findings, expressing doubt that CISA's tests would replicate real-world customer environments. Riemer further stated that Ivanti has no knowledge of any successful threat actor persistence following the implementation of security updates and factory resets as recommended.

 

The exact extent of Ivanti customers affected by the widespread exploitation of Connect Secure vulnerabilities, which commenced in January, remains undisclosed.

According to an analysis by Akamai released last week, hackers are launching approximately 250,000 exploitation attempts daily and have targeted over 1,000 customers.