On January 10 [2], Ivanti disclosed two critical zero-day vulnerabilities [1] [6], known as CVE-2023-46805 and CVE-2024-21887 [1] [7], affecting their Connect Secure (ICS) VPN tool [2]. These vulnerabilities have led to a significant number of compromised devices globally.

Description

Volexity researchers discovered these vulnerabilities in December and have found evidence of over 1,700 compromised Ivanti Connect Secure VPN devices worldwide [6]. The number of compromised VPNs has been increasing since the vulnerabilities were disclosed [2]. A recent scan identified at least 1,700 compromised VPNs out of 30,000 devices [2]. The majority of infections are attributed to one vulnerability [2], UTA0178 [2] [3] [4] [6], but there are also attempts by other threat actors [2]. The victims range from small organizations to Fortune 500 companies across various sectors [2] [6], including government [3], military [2] [3], telecoms [3], technology [3], finance [2] [3], consulting [3], and aerospace [3]. The infections have been found on every continent, indicating that they are not limited to the United States. Ivanti has confirmed additional customers who were exploited following their initial advisory [6]. It is suspected that the number of compromised organizations is even higher, as there are more than 17,000 internet-visible Ivanti VPN appliances worldwide [1]. Another threat actor group named UTA0188 also has access to the exploit [3]. Ivanti has acknowledged the mass-hacks and plans to release patches for the vulnerabilities starting the week of January 22 and February 19. In the meantime [1] [2], administrators are advised to apply the mitigation measures provided by the company. The vulnerabilities allow for unauthenticated remote code execution on affected devices [4]. The attacks have been attributed to a nation-state threat actor [4], UNC5221 [4], and the threat group used multiple custom malware families in their campaign [4]. The vulnerabilities have severity scores of 8.2 and 9.1 out of 10.0 [4]. Ivanti’s Policy Secure gateway is also affected by the flaws. So far [1] [4], less than 20 customers have been impacted [4]. Ivanti is expected to release patches for the vulnerabilities on January 22 and February 19 [2]. In the meantime [1] [2], customers can use a mitigation released by Ivanti to block potential exploits [2]. Additionally, Ivanti VPN has an Integrity Checker Tool to detect compromises [2]. In the event of a compromise [2], it is advised to isolate the device and follow an incident response playbook [2], potentially involving support from Ivanti or incident response providers [2]. The vulnerabilities are being widely exploited [5], with over 1,700 devices compromised worldwide [5]. The exploits for CVE-2023-46805 and CVE-2024-21887 have allowed attackers to breach organizations and place webshells on their servers [7]. The attacks have been ongoing since early December [7]. Mandiant incident responders have identified indicators of compromise for the custom malware used by the threat actors [7], believed to be China-sponsored hackers [7]. Volexity has detected evidence of widespread scanning for the vulnerabilities and has found over 1,700 compromised Ivanti VPN devices globally [7]. The victims vary in size and include Fortune 500 companies [7]. Organizations using Ivanti Connect Secure VPN devices are advised to implement temporary mitigations and check for evidence of compromise [7]. Applying mitigations and patches will not resolve past compromise [7], so organizations should review their logs and network telemetry for signs of successful compromise [7]. Ivanti and Rapid7 have provided recovery guidance and a technical analysis of the vulnerabilities [7]. More than 16,800 Connect Secure appliances are currently exposed to the internet [5]. Organizations are urged to apply mitigation measures until patches are available [5].

Conclusion

The impact of these vulnerabilities is significant, with a large number of compromised Ivanti Connect Secure VPN devices worldwide. Organizations across various sectors [2], including Fortune 500 companies [2] [5] [6] [7], have been affected [1] [4]. While Ivanti plans to release patches for the vulnerabilities [2], administrators are advised to implement temporary mitigations and review their systems for signs of compromise. The ongoing attacks and the involvement of nation-state threat actors highlight the importance of maintaining strong cybersecurity measures. Organizations should apply mitigation measures and stay vigilant until patches are available.

References

[1] https://techcrunch.com/2024/01/16/hackers-ivanti-vpn-mass-exploitation/
[2] https://www.darkreading.com/cloud-security/ivanti-zero-day-exploits-skyrocket-no-patches
[3] https://www.infosecurity-magazine.com/news/ivanti-zerodays-exploited-multiple/
[4] https://www.crn.com.au/news/mandiant-attacks-exploiting-ivanti-vpn-flaws-began-in-december-604079
[5] https://thecyberwire.com/newsletters/daily-briefing/13/10
[6] https://www.crn.com/news/security/2024/ivanti-vpn-vulnerabilities-seeing-mass-exploitation-researchers
[7] https://www.helpnetsecurity.com/2024/01/16/ivanti-vpn-compromised/