Ivanti’s Never-Ending Headache: New Malware & Persistence Plagues VPNs
Just when you thought it was safe to go back into the VPN tunnel, Ivanti vulnerabilities are back in the spotlight, proving to be a persistent nightmare for organizations worldwide.
New reports detail ongoing exploitation, fresh malware, and sophisticated persistence mechanisms that make patching a race against determined attackers.
Initially, a combination of CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) opened the floodgates. But the party didn’t stop there. Subsequent critical vulnerabilities, including CVE-2024-21888, CVE-2024-21893, and CVE-2024-22024, have kept security teams on their toes[1].
The latest intelligence reveals attackers aren’t just exploiting; they’re *staying*. Mandiant reports new malware families like ‘DSLog’ and ‘DSBackdoor’ specifically designed for Ivanti Connect Secure VPN appliances, along with sophisticated persistence techniques that modify legitimate system files and create scheduled tasks to survive patches and reboots[2]. We’re talking about nation-state level actors here, folks, and their toolkit is expanding.
So what’s the big deal? If your organization uses Ivanti Connect Secure or Policy Secure VPNs, you’re a prime target. These aren’t just theoretical exploits; they’re actively being used to gain initial access, steal credentials, and pivot deeper into corporate networks. Even if you’ve patched, the new persistence methods mean attackers might *still* be lurking, having established backdoors before your updates were applied[3].
This isn’t just about applying a patch and calling it a day. It demands a thorough forensic investigation to ensure your appliances haven’t already been compromised and back
