Alert essentials:
Two zero-day vulnerabilities are being actively exploited in the wild, resulting in threat actors obtaining control of networks. An authentication bypass and command injection are combined, allowing them to run commands that lead to complete system control. Patches are not yet available; apply mitigation immediately!

Email Team


Detailed threat description:
Chinese APT threat actors mainly live off the land in this exploit, and MFA can also be bypassed. JavaScript loaded at the login page of the appliance is rewritten to force the VPN to capture credentials used for access. Bad actors then use obtained credentials to pivot to internal systems and eventually move laterally about the network.

No patches are currently available. Patches will be released on a staggered schedule. The first version is targeted to be available to customers the week of 22 January, and the final version is targeted to be available the week of 19 February. Ivanti has provided mitigation steps until the patches are released. CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing the mitigation.release.20240107.1.xml file via the Ivanti download portal.

Note: Evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker tool (ICT) has been identified. Out of an abundance of caution, Ivanti recommends that all customers run the external ICT. A new functionality was added to the external ICT that will be incorporated into the internal ICT in the future. Ivanti regularly provides updates to the external and internal ICT, so customers should ensure they are running the latest version of each. The ICT is a snapshot of the current state of the appliance and won’t necessarily detect threat actor activity if they have returned the appliance to a clean state. Nor does a mitigation remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed to look for signs of a breach. Reference Velocity’s blog for more on their investigation.

Update 1/31/24: The original patch release of critical Ivanti fixes for Ivanti Connect Secure and Ivanti Policy Secure Servers has been delayed. During the development of patches for CVE-2023-46805 and CVE-2024-21887, two more zero-days were discovered CVE-2024-21888 and CVE-2024-21893. Since the initial release of information on the original zero-days, researchers discovered the previous mitigation has been bypassed by sophisticated threat actors, and a new mitigation has been released.

Due to active exploitation, CISA released an emergency directive requiring Federal Civilian Executive Branch agencies using Ivanti Connect Secure and Ivanti Policy Secure to implement mitigations immediately and apply updates within 48 hours of release. The updated mitigation is available to download from the Ivanti portal. The first patches addressing all four zero-days are now available for versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and ZTA version 22.6R1.3

However, before applying a patch, Ivanti recommends administrators perform a factory reset on devices. This recommendation is intended to prevent the possibility of a bad actor obtaining upgrade persistence.

APPLY MITIGATIONS NOW AND PATCHES AS SOON AS THEY ARE AVAILABLE!

Impacts on healthcare organizations:
This VPN exploit has the potential to impact operations due to the probability of life-saving technology being unavailable during an attack. Internet accessible systems remain a favorite target for the threat actors. They live on critical parts of the network and are typically positioned in an ideal spot for malicious activities.

Affected products / versions:

  • Affects all supported versions of Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Ivanti Policy Secure Gateways

CVEs

  • CVE-2023-46805
  • CVE-2024-21887
  • CVE-2024-21888
  • CVE-2024-21893

KBs

  • KB43892
  • KB44755


Recommendations

Engineering recommendations:

  • Stop pushing configurations to appliances with XML in place
  • Do Not resume pushing the configurations until the appliances have been patched
  • Factory reset all vulnerable Ivanti products before applying the update to prevent an attacker from gaining upgrade persistence
  • Import the new mitigation “mitigation.release.20240107.1.xml’ file via the Ivanti download portal, or download and apply patches
  • Run the external Integrity Checker Tool
  • Continue to monitor. There are three primary ways to detect activity associated with a compromised Ivanti Connect Secure VPN appliance:
    1. Network Traffic Analysis-Examine anomalous traffic originating from their VPN appliances
    2. VPN Device Log Analysis- monitor logs at System -> Log/Monitoring from the admin interface
    3. Using the Integrity Checker Tool-Once saved locally, the tool is run by uploading a package to the server and installing it as a Service Pack. The tool will then run and display its results on screen. This includes whether any new or mismatched files are discovered

Leadership / program recommendations:

  • If you discover that your ICS VPN appliance is compromised, it is important to take immediate action
  • You do not want to simply wipe and rebuild the ICS VPN appliance. Collecting logs, system snapshots, and forensics artifacts (memory and disk) from the devices is crucial
  • Pivoting to analyzing internal systems and tracking potential lateral movement should be done as soon as possible
  • Further, any credentials, secrets, or other sensitive data that may have been stored on the ICS VPN appliance should be considered compromised. This may warrant password resets,  changing of secrets, and additional investigations.
  • It is strongly recommended that organizations look for signs of lateral movement internally from their ICS VPN appliance that is not consistent with expected behavior from the device. Proactive checks of any externally facing infrastructure may also be warranted if internal visibility is limited.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.


References: