Alert essentials: Government agencies suggest network administrators with vulnerable Ivanti Connect Secure and Ivanti Policy Secure devices assume compromise. Two Zero-Day vulnerabilities are being actively exploited in the wild, resulting in threat actors obtaining control of networks. When combined, an authentication bypass and command injection allow threat actors to run commands that lead to complete system control.
Apply the newest mitigation immediately.
Detailed threat description:
Assume Compromise and Rootkit Level Persistence
As an update to prior Fortified Threat Bulletins on this topic, joint government agencies have observed these exploits chained together to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. These flaws allow bad actors to deploy web shells, bypass authentication, and gain lateral movement on targeted networks. Independent testing of Ivanti’s Integrity Checker Tool (ICT) has proven the software does not adequately detect compromise. Additionally, root-level persistence may be achieved even with a factory reset of vulnerable devices.
Therefore, joint advisories suggest organizations with vulnerable devices should consider them compromised and be aware that persistence may have been achieved. Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials.
Security agencies warn that multiple threat actors are exploiting the flaws in mass numbers and likely have been since December 2023. These alerts and recent investigations prompted CISA to recommend physically disconnecting vulnerable devices immediately!
Federal agencies were ordered to disconnect ALL Ivanti Connect Secure and Ivanti Policy Secure instances from their networks within 48 hours. Agencies are instructed to remove the devices from their networks, export configurations, and factory reset devices. After the reset, apply the latest updates from Ivanti and import the configurations, changing all passwords, keys, and exposed certificates.
This threat bulletin is associated with two other bulletins we released in early January and early February:
- https://fortifiedhealthsecurity.com/threat-bulletin/ivanti-vpns
- https://fortifiedhealthsecurity.com/threat-bulletin/ivanti-exploit-update
Impacts on healthcare organizations:
Affected products / versions:
- Affects all supported versions of Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Ivanti Policy Secure Gateways
CVEs
- CVE-2023-46805
- CVE-2024-21887
- CVE-2024-21888
- CVE-2024-21893
- CVE-2024-22024
KBs
- KB43892
- KB44755
Recommendations
Engineering recommendations:
- Assume vulnerable devices are compromised and disconnect from the network
- Conduct threat hunting on devices and networks by collecting and analyzing logs for malicious activity
- Assume domain accounts associated with these devices have been compromised, so reset passwords twice for on-premise accounts, revoke any Kerberos tickets, and revoke other tokens for cloud accounts if your organization is running a hybrid deployment
- Monitor any potentially exposed authentication or identity services, and audit accounts with privileged access
- Revoke and reissue connected or exposed certificates, keys and passwords – this includes resetting admin enable passwords, resetting stored application programming interface (API) keys, and resetting any passwords belonging to local users defined on the gateway. This last step should include service accounts used for auth server configuration\Export configuration settings from devices to be reset to factory origins
- Factory reset all vulnerable Ivanti products before applying the update
Leadership / program recommendations:
- It is strongly recommended that organizations look for signs of compromise
- Consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment
- Wiping and rebuilding the ICS VPN appliance is not advised as an immediate action; collecting logs, system snapshots, and forensics artifacts (memory and disk) from the devices is crucial
- Analyzing internal systems and tracking potential lateral movement should be done as soon as possible
- Further, any credentials, secrets, or other sensitive data that may have been stored on the ICS VPN appliance should be considered compromised; this may warrant password resets, changing of secrets, and additional investigations
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Official Advisory: https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- CISA: https://www.cisa.gov/news-events/alerts/2024/01/10/ivanti-releases-security-update-connect-secure-and-policy-secure-gateways
- https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities
- https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-hacked-ivanti-vpn-gateways-even-after-factory-resets
- https://services.google.com/fh/files/misc/ivanti-connect-secure-remediation-hardening.pdf
- Updated CISA Instruction: Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways | CISA
- https://www.cisa.gov/news-events/news/cisa-us-and-international-partners-warn-ongoing-exploitation-multiple-ivanti-vulnerabilities
- Factory Reset Instructions: Recovery Steps Related to CVE-2023-46805 and CVE-2024-21887 (ivanti.com)
