When One Attacker Rules Them All: The Ivanti Exploitation Campaign That Should Worry Us
When One Attacker Rules Them All: The Ivanti Exploitation Campaign That Should Worry Us
I’ve been watching the security news this week, and there’s a pattern emerging that’s worth discussing. While we’re dealing with the usual mix of browser extension malware and acquisition announcements, there’s one story that really stands out – and it’s not getting the attention it deserves.
The Ivanti Problem Gets Personal
Here’s what caught my eye: researchers are reporting that a single threat actor is responsible for 83% of the active exploitation targeting two critical vulnerabilities in Ivanti Endpoint Manager Mobile. We’re talking about CVE-2026-21962 and CVE-2026-24061 – both remote code execution flaws that are exactly as bad as they sound.
This isn’t just another “patch your systems” story. When one actor dominates exploitation of critical vulnerabilities to this degree, it tells us something important about the threat landscape. Either this particular group has significantly better capabilities than their peers, or they’re part of a larger, more organized operation than we typically see.
The concentration of attacks also suggests we might be looking at a targeted campaign rather than opportunistic scanning. That’s the kind of focused threat that can slip past defenses that work fine against spray-and-pray attacks.
BeyondTrust Joins the Party
Speaking of critical vulnerabilities seeing active exploitation, watchTowr reported they’re now seeing in-the-wild attacks against that CVSS 9.9 BeyondTrust vulnerability in Remote Support and Privileged Remote Access products. Ryan Dewhurst from watchTowr mentioned they picked this up across their global sensors, which means it’s not isolated to one region or target type.
BeyondTrust products are exactly the kind of high-value targets that make attackers salivate – they’re privileged access management tools that, if compromised, can give attackers keys to the kingdom. The fact that we’re seeing exploitation so quickly after disclosure is concerning but not surprising.
The Browser Extension Problem That Won’t Go Away
Meanwhile, researchers discovered over 300 malicious Chrome extensions with a combined 37 million downloads that are busy stealing user data. Thirty-seven million downloads. Let that sink in for a moment.
This isn’t new – we’ve been dealing with malicious browser extensions for years. But the scale here is staggering. It’s a reminder that our users are installing software from app stores without thinking twice, and we need to account for that in our security models. Browser extensions run with significant privileges and often have access to everything users do online.
The persistence of this problem suggests that Google’s review process, while improved, still has gaps that determined attackers can exploit. For those of us managing enterprise environments, it’s another argument for maintaining tight control over browser extension policies.
Market Moves: Zscaler Acquires SquareX
On the business side, Zscaler’s acquisition of SquareX is interesting because it shows where the market thinks browser security is heading. SquareX specializes in secure browsing technology, and this acquisition puts Zscaler in direct competition with CrowdStrike and Palo Alto Networks, who are also investing heavily in this space.
The timing isn’t coincidental. With remote work still prevalent and browser-based attacks becoming more sophisticated, secure browsing is becoming a critical component of zero trust architectures. The fact that major players are making significant investments here tells us this isn’t just a trend – it’s becoming table stakes.
What This Means for Us
The common thread running through these stories is concentration – whether it’s one attacker dominating Ivanti exploitation or hundreds of malicious extensions reaching millions of users. We’re not just dealing with distributed, random threats anymore. We’re seeing focused, systematic approaches that require equally systematic defenses.
The Ivanti situation particularly concerns me because it suggests we might be dealing with a threat actor that has developed reliable exploitation techniques and is using them at scale. That’s the kind of threat that can turn a vulnerability disclosure into a widespread compromise very quickly.
For our day-to-day operations, this reinforces the importance of rapid patch management, especially for internet-facing systems and privileged access tools. It also highlights why we need better visibility into what our users are installing and running, even in seemingly benign environments like browser extension stores.