We conducted a secondary scan on all Ivanti Connect Secure servers in our dataset and found 412 unique hosts with this backdoor, Censys researchers wrote. 'Additionally, we found 22 distinct 'variants' (or unique callback methods), which could indicate multiple attackers or a single attacker evolving their tactics.'
In an email, members of the Censys research team said evidence suggests that the people infecting the devices are motivated by espionage objectives. That theory aligns with reports published recently by security firms Volexity and Mandiant. Volexity researchers said they suspect the threat actor, tracked as UTA0178, is a 'Chinese nation-state-level threat actor.' Mandiant, which tracks the attack group as UNC5221, said the hackers are pursuing an 'espionage-motivated APT campaign.'
[
add
]
[
|
|
...
]