Ivanti VPN appliance breach hits critical mass

[OVERKILL]

CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products

In an unprecedented move, CISA is directing federal agencies to disconnect insecure Ivanti VPN products within 48 hours.

www.securityweek.com

“As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” the agency said in a fresh emergency directive that ramps up the pressure on defenders to mitigate at least three Ivanti security defects being actively exploited in the wild.

CISA is pushing Federal Civilian Executive Branch (FCEB) agencies to “continue threat hunting on any systems connected to — or recently connected to — the affected Ivanti device” and monitor the authentication or identity management services that could be exposed.

Within 48 hours, the agency said federal network admins must also isolate the systems from any enterprise resources to the greatest degree possible, and continue to audit privilege level access accounts.

“To bring a product back into service, CISA said agencies are required to export the device configuration settings, complete a factory reset per Ivanti’s instructions, and rebuild the device AND upgrade to a fully patched software version.

*snip*

In all, Ivanti has documented four separate issues:

• CVE-2023-46805 — An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. CVSS severity score 8.2/10. Confirmed exploited as zero-day.
• CVE-2024-21887 — A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. CVSS 9.1/10. Exploitation confirmed.
• CVE-2024-21888 — A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. CVSS 8.8/10.
• CVE-2024-21893 — A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. CVSS severity score 8.2/10. Targeted exploitation confirmed.

Volexity first spotted exploitation of these issues three weeks ago and warned that a Chinese government-backed APT hacking team had built an exploit chain to break into US organizations.

Malware hunters at Mandiant are reporting “broad exploitation activity” via automated methods and noted that hackers linked to China have been hitting these bugs as far back as December 3, 2023. SecurityWeek sources say cybercriminal groups have pounced on the public exposures to deploy cryptomers and backdoors.

I assume they mean *cryptominers*.

This is a devastating situation for not only the company, but potentially for anyone using this equipment that is at extreme risk of being backdoored.

It will be interesting to see what the fallout from this actually looks like, as investigation results are tallied.

 

[dkryan]

Interesting, especially since I have never heard of that specific VPN. I’m guessing it’s “commercial facing.”

On a related note, if, after reading the article, you scroll down to “latest news” on the same site, we find Okta, Proofpoint, and a couple of other companies laying off employees in order to achieve “profitable growth.”

While at the same time it appears from other articles on that page the current state of cybersecurity, at least in the US., resembles a cat chasing its tail.

 

[ctechbob]

Ouch... Can't get into any specifics, but that VPN is used to access some fairly serious data for some fairly serious agencies.

 

[OVERKILL]

Ouch... Can't get into any specifics, but that VPN is used to access some fairly serious data for some fairly serious agencies.

Yep... .gov stuff

Very bad news.

 

[Rand]

Ouch... Can't get into any specifics, but that VPN is used to access some fairly serious data for some fairly serious agencies.

They list their customers on their webpage.. at least the biggest out of 40000 of them.
quite the list.
The biggest issue is of course the .gov,

CISA also issued 2024's first emergency directive (ED 24-01), ordering federal agencies to immediately mitigate the CVE-2023-46805 and CVE-2024-21887 Ivanti zero-day flaws in response to mass exploitation by multiple threat actors.

When chained, the two zero-days let attackers move laterally within victims' networks, steal data, and establish persistent access by deploying backdoors.

The list of victims discovered so far includes government and military organizations worldwide, national telecom companies, and defense contractors, as well as banking, finance, and accounting organizations and aerospace, aviation, and tech firms.

They all vary significantly in size, ranging from small businesses to some of the largest multinational conglomerates, including multiple Fortune 500 companies from various industry sectors.

Mandiant found five custom malware strains deployed in these extensive attacks that help threat actors steal credentials, deploy webshells, and drop additional malicious payloads.

Volexity and GreyNoise have also observed attackers deploying XMRig cryptocurrency miners and Rust-based malware payloads on some victims' compromised systems.

 

[PandaBear]

My workplace use that. Basically while at work we were told to come in to the office for the foreseeable future till they figure out what to do and no remote work till then.