As the new year unfolds, global threat actors have launched serious cyber attacks, with healthcare organizations among their targets. In January, Chinese APT (Advanced Persistent Threat) actors were reported to be focusing on critical U.S. infrastructure (political, military, and civilian), aiming to cause “real-world harm.”

In addition to actively exploiting Ivanti VPNs, alarms went off last month when it was discovered that Chinese espionage groups are also exploiting VMware vulnerabilities.

Ivanti VPNs exploited by global threat actors

Ivanti systems are critical parts of a healthcare network and are prime targets for nefarious activities. If attacked, healthcare organizations may be unable to use their connected medical technologies, resulting in downtime procedures or delays in patient care.

In January, it was discovered that Chinese APT hackers were actively exploiting at least two zero-day Ivanti vulnerabilities, using living off-the-land tactics to bypass multi-factor authentication (MFA).

The attack impacts all supported versions of Ivanti Connect Secure (ICS) (formerly known as Pulse Connect Secure) and Ivanti Policy Secure Gateways.

Patches were scheduled to begin rolling out the week of January 19th. However, during development, two additional zero-days were discovered, delaying Ivanti’s release of the new patches.

In response, Ivanti and CISA provided updated mitigation steps until the new patches are available, including:

  • Refrain from pushing configurations to appliances with XML in place
  • Avoid pushing the configurations until the appliances have been patched
  • Factory reset all vulnerable Ivanti products before applying the update to prevent an attacker from gaining upgrade persistence
  • Import the new mitigation “mitigation.release.20240107.1.xml’ file via the Ivanti download portal, or download and apply patches
  • Run the Ivanti’s external Integrity Checker Tool (ICT)
  • Evidence of attempts to manipulate Ivanti’s internal ICT has been observed
    • Ensure external and internal ICT running are the latest versions

Reference Volexity’s GitHub page for additional recommendations.

Steps to identify and begin remediation after an attack

Here are some ways to detect a compromised Ivanti Connect Secure VPN appliance:

  1. Analyze anomalous traffic originating from their VPN appliances
  2. Monitor logs at System -> Log/Monitoring from the admin interface
  3. Once saved locally, the tool is run by uploading a package to the server and installing it as a service pack
    • The tool will then run and should display any new or mismatched files discovered on the Ivanti device screen

What to do in the event that your ICS VPN appliance is compromised:

  • Avoid wiping and rebuilding the ICS VPN appliance
  • Collect logs, system snapshots, and forensics artifacts (memory and disk)
  • Start tracking potential lateral movement from their ICS VPN appliance
  • Any credentials, secrets, or other sensitive data stored on the ICS VPN appliance should be considered compromised. As a result, password resets, changing of secrets, and additional investigations may be needed.

Exploitations of VMware vulnerabilities

The Chinese espionage group UNC3886 has been exploiting CVE-2023-34048 since late 2021. The attack affects all supported versions of VMware vCenter Server and VMware Cloud Foundation (VCF).

This vulnerability is being actively exploited in the wild, allowing threat actors to access the vCenter Server through remote code execution. When hackers successfully access a single vCenter Server, many applications, including those used in healthcare, can be compromised and taken offline.

Upgrades were released in October 2023 to address flaws, however, many devices remain vulnerable to an attack. Due to the lack of alternative mitigations, vulnerable systems should be updated immediately.

Because of the critical nature of this weakness, VMware also issued security patches for multiple end-of-life products without active support. General patches were made available for vCenter Server 6.7U3, 6.5U3, 8.0U1, and VCF 3.x.

Here are the recommended actions to take to protect your organization:

  • Review KB95536 before installing any updates
  • Apply individual product updates to VCF environments before upgrading with the Async Patch Tool
  • Ensure strict control of network perimeter access to vSphere management components

 

Defending against threat actors

The exploitation of vulnerabilities by global threat actors serves as a reminder of the relentless attacks on patient information and our healthcare infrastructure.

To better understand what other healthcare organizations are doing to address these evolving cyber threats, watch our webinar with Louis Wright, Director of IT Infrastructure & CISO at the University of South Alabama Health (USA Health).