Last week, we reported on zero-day vulnerabilities affecting Ivanti’s Connect Secure VPN and Policy Secure network access control appliances. This week, it is being reported that the vulnerabilities are under massive exploitation. The attackers use a GIFTEDVISITOR webshell variant to backdoor their targets' systems. The victims include government and military departments, national telecommunications companies, defense contractors, technology companies, banking, finance, accounting organizations, consulting outfits, and aerospace, aviation, and engineering firms.
List of tools used in current attacks:
While Ivanti is yet to release patches for the zero-days, the attacks have escalated, involving multiple threat groups. The suspected Chinese state-backed threat actor (tracked as UTA0178 or UNC5221) has been joined by other threat groups.
Avertium’s Recommendations
overview
Chinese threat actors are targeting Ivanti's widely used VPN appliance, Ivanti Connect Secure (ICS). The associated vulnerabilities are tracked as CVE-2023-46805 and CVE-2024-21887 and allow threat actors to bypass two-factor authentication, as well as execute malicious code within targeted networks.
Similar to Ivanti’s Avalanche vulnerabilities, these current flaws could have far-reaching consequences for organizations relying on Ivanti solutions. The threat actors, suspected to be a Chinese nation-state-level threat actor known as UTA0178, have exploited CVE-2023-46805 and CVE-2024-21887 by not only bypassing authentication but also by executing arbitrary commands - potentially leading to network compromises. Researchers from Volexity stated that the threat actors backdoored the infected network by installing a web shell interface on Internet-facing web servers before hiding their tracks from investigators.
CVE-2023-46805 has a CVSS score of 8.2 and is described by Ivanti as an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. It allows a remote attacker to access restricted resources by bypassing control checks.
CVE-2024-21887 has a CVSS score of 9.1 and is described by Ivanti as a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. The vulnerability allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Organizations using Ivanti Connect Secure should follow Ivanti’s mitigation guidance and implement the recommendations immediately while Ivanti continues to work on developing patches for the zero-days. Patches are expected to be released in a staggered schedule, with the first version being released during the week of January 22 and the final version during the week of February 19.
INDICATORS OF COMPROMISE (IoCs)
IPV4
Domains
SUPPORTING DOCUMENTATION
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity
Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks | Ars Technica
Ivanti warns of Connect Secure zero-days exploited in attacks (bleepingcomputer.com)
Ivanti Connect Secure zero-days now under mass exploitation (bleepingcomputer.com)