Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/shadowserver/statuses/111788261920349016">The Shadowserver Foundation (shadowserver@infosec.exchange)'s status on Saturday, 20-Jan-2024 21:29:02 JST</a><a href="https://infosec.exchange/@shadowserver" title="shadowserver@infosec.exchange"><img src="https://gnusocial.jp/avatar/233023-48-20240119110326.webp" width="48" height="48" alt="The Shadowserver Foundation" style="position: absolute; left: 0; top: 0;">The Shadowserver Foundation</a><div><a href="https://infosec.exchange/@shadowserver/111781817660837203" rel="in-reply-to">in reply to</a></div></section><article><p>Additional IPs compromised with credential stealers injected into vulnerable Ivanti Connect Secure VPN devices now shared daily in our Compromised Website report <a href="https://shadowserver.org/what-we-do/network-reporting/compromised-website-report/" rel="nofollow noreferrer">https://shadowserver.org/what-we-do/network-reporting/compromised-website-report/</a></p><p>168 compromised IPs found in our scans on 2023-01-19: <a href="https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-01-19&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=credential-stealer%3Binjected-code%3Bivanti-connect-secure%3Bssl&amp;geo=all&amp;data_set=count&amp;scale=log" rel="nofollow noreferrer">https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-01-19&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=credential-stealer%3Binjected-code%3Bivanti-connect-secure%3Bssl&amp;geo=all&amp;data_set=count&amp;scale=log</a></p><p>Total for 2023-01-19: 550 IPs still compromised (includes GIFTEDVISITOR variant webshells) - <a href="https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=ivanti-connect-secure%2B&amp;group_by=geo&amp;style=stacked" rel="nofollow noreferrer">https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=ivanti-connect-secure%2B&amp;group_by=geo&amp;style=stacked</a></p><p>Recovery guidance from Ivanti - <a href="https://forums.ivanti.com/s/article/Recovery-Steps-Related-to-CVE-2023-46805-and-CVE-2024-21887?language=en_US" rel="nofollow noreferrer">https://forums.ivanti.com/s/article/Recovery-Steps-Related-to-CVE-2023-46805-and-CVE-2024-21887?language=en_US</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2607795#notice-5174371">In conversation</a><time datetime="2024-01-20T21:29:02+09:00" title="Saturday, 20-Jan-2024 21:29:02 JST">about a year ago</time> <span>from <span><a href="https://infosec.exchange/@shadowserver/111788261920349016" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@shadowserver/111788261920349016">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/2140528">Tree map showing geo distribution of compromised Ivanti devices (new code injection credential stealer campaign). Top countries infected: US (51), China (13), Israel and Japan (11) each.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/111/788/251/414/764/496/original/ff0025bea2fc8e8e.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/111/788/251/414/764/496/original/ff0025bea2fc8e8e.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/2140529">Untitled attachment</a></label><br></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-01-19&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=credential-stealer%3Binjected-code%3Bivanti-connect-secure%3Bssl&amp;geo=all&amp;data_set=count&amp;scale=logTotal">Tree map · General statistics · The Shadowserver Foundation</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=ivanti-connect-secure%2B&amp;group_by=geo&amp;style=stackedRecovery">Time series · General statistics · The Shadowserver Foundation</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://forums.ivanti.com/s/article/Recovery-Steps-Related-to-CVE-2023-46805-and-CVE-2024-21887?language=en_US">Ivanti Community</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
The Shadowserver Foundation (shadowserver@infosec.exchange)'s status on Saturday, 20-Jan-2024 21:29:02 JST The Shadowserver Foundation
in reply to
Additional IPs compromised with credential stealers injected into vulnerable Ivanti Connect Secure VPN devices now shared daily in our Compromised Website report https://shadowserver.org/what-we-do/network-reporting/compromised-website-report/
168 compromised IPs found in our scans on 2023-01-19: https://dashboard.shadowserver.org/statistics/combined/tree/?day=2024-01-19&source=compromised_website&source=compromised_website6&tag=credential-stealer%3Binjected-code%3Bivanti-connect-secure%3Bssl&geo=all&data_set=count&scale=log
Total for 2023-01-19: 550 IPs still compromised (includes GIFTEDVISITOR variant webshells) - https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=compromised_website&source=compromised_website6&tag=ivanti-connect-secure%2B&group_by=geo&style=stacked
Recovery guidance from Ivanti - https://forums.ivanti.com/s/article/Recovery-Steps-Related-to-CVE-2023-46805-and-CVE-2024-21887?language=en_US
In conversationabout a year ago from infosec.exchangepermalink
Attachments
1. Tree map showing geo distribution of compromised Ivanti devices (new code injection credential stealer campaign). Top countries infected: US (51), China (13), Israel and Japan (11) each.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/111/788/251/414/764/496/original/ff0025bea2fc8e8e.png
2. Untitled attachment
3. No result found on File_thumbnail lookup.
  Tree map · General statistics · The Shadowserver Foundation
4. No result found on File_thumbnail lookup.
  Time series · General statistics · The Shadowserver Foundation
5. No result found on File_thumbnail lookup.
  Ivanti Community

Public

Embed Notice

HTML Code

Corresponding Notice