Ivanti Connect Secure VPN Exploitation: New Observations

Volexity reports that starting mid-January 2024 threat actors have been actively exploiting Ivanti Connect Secure VPN vulnerabilities (CVE-2024-21887 and CVE-2023-46805), deploying the GIFTEDVISITOR webshell across over 2,100 appliances, delivering cryptocurrency miners and Rust-based payloads, exfiltrating configuration, logs and database files, and in some cases modifying the appliance Integrity Checker to conceal compromises; the report includes IOCs (malicious URLs, wallet addresses, modified file paths), attribution to UTA0178/criminal actors, and mitigation guidance (apply mitigations after restoring backups and run external integrity checks).