Exploitation of vulnerabilities in Ivanti’s Connect Secure and Ivanti Policy Secure products has prompted CISA to issue an urgent alert to at-risk organizations.
CISA said it has seen “widespread and active exploitation” of the vulnerabilities and warned that successful exploitation of these would allow an attacker to move across systems, steal data, and gain persistent access to systems, resulting in “full compromise of target information systems”.
Because this posed an “unacceptable risk” to federal civilian executive branch agencies, CISA has asked them to take emergency action.
Ivanti VPN flaws: What's the problem?
Earlier this month Ivanti warned about the two vulnerabilities which impact all supported versions from 9.x to 22.x.
The firm issued an advisory first highlighting CVE-2023-46805, a vulnerability found in the web component of Ivanti Connect Secure and Ivanti Policy Secure.
This is an authentication bypass vulnerability which could allow a remote attacker to access restricted resources by bypassing control checks. This flaw has a CVSS score of 8.2.
A second flaw, tracked as CVE-2024-21887, is a command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure.
This vulnerability, which CISA said can be used over the internet, allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the affected products. This flaw was rated as a 9.2 on the CVSS scale.
When combined, these vulnerabilities could allow an attacker to execute arbitrary commands on a vulnerable system.
Ivanti has released a temporary mitigation through an XML file that can be imported into the products to make the configuration changes until a permanent update is available.
CISA said agencies should implement the mitigation immediately – with a deadline of last night (22 January) - and run Ivanti’s External Integrity Checker Tool to see if there was any indication that the system had been compromised.
If any compromise was detected, CISA said, agencies should remove the compromised products from their networks. They should then start their incident analysis, preserve data from the compromised devices through the creation of forensic hard drive images, and hunt for indications of further compromise.
CISA has also detailed the steps for bringing the hardware online again afterwards.
Who are the attackers?
Security company Volexity has been tracking the hackers trying to use these flaws after it spotted suspicious behavior on the network of one of its Network Security Monitoring service customers in December, which it reported to Ivanti.
Volexity said these hackers – which it tracks as ‘UTA0178’ - are a group backed by China.
“Once UTA0178 had access into the network via the [Ivanti Connect Sure] VPN appliance, their general approach was to pivot from system to system using compromised credentials,” the firm said.
“They would then further compromise credentials of users on any new system that was breached, and use these credentials to log into additional systems.”
Learn about the five key pillars of DORA and discover how they impact the way financial services manage their IT
DOWNLOAD NOW
Since then, exploitation of the vulnerabilities has become more widespread. At one point last week, Volexity was able to find evidence of compromise on over 2,100 devices worldwide.
That’s perhaps because additional attackers beyond UTA0178 have access to the exploit and are actively trying to attack devices, too.
In one case, Volexity saw an attacker deploying XMRig cryptocurrency miners, but it has also seen multiple URLs being used to download a Rust-based payload – the company is currently analyzing what this malware does.
Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals.
According to data from security monitoring body Shadowserver, there are a number of compromised systems still online. Mandiant has also shared details of five malware families associated with the exploitation of the vulnerabilities.
What happens next?
Ivanti said that it has provided the mitigation while the patch is in development and warned customers it was “critical that you immediately take action” to ensure they are protected.
The company said that patches will be released in a staggered schedule.
The first version is expected to be available to customers the week of 22 January while the final version is targeted to be available the week of 19 February.
