Alert essentials:
Two zero-day vulnerabilities are being actively exploited in the wild, resulting in threat actors obtaining control of networks. An authentication bypass and command injection are combined, allowing them to run commands that lead to complete system control. Patches are not yet available; apply mitigation immediately!
Detailed threat description:
Chinese APT threat actors mainly live off the land in this exploit, and attackers can bypass MFA. JavaScript loaded at the login page of the appliance is rewritten to force the VPN to capture credentials used for access. Bad actors then use obtained credentials to pivot to some internal systems and eventually move laterally about the network.
No patches are currently available.
Patches will be released in a staggered schedule, with the first version targeted to be available to customers the week of January 22nd and the final version targeted to be available the week of February 19th. Ivanti has provided mitigation steps until the patches are released. CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing the mitigation.release.20240107.1.xml file via the Ivanti download portal.
Of note: Evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker tool (ICT) has been seen. Out of an abundance of caution, Ivanti recommends that all customers run the external ICT.
A new functionality was added to the external ICT that will be incorporated into the internal ICT in the future. Ivanti regularly provides updates to the external and internal ICT, so customers should always ensure they are running the latest version of each. The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. Nor does a mitigation remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed to look for signs of a breach.
Reference Veloxity’s blog for more on their investigation (see references section).
Impacts on healthcare organizations:
Internet-accessible systems remain a favorite target for threat actors. These systems are on critical parts of the network and typically sit at the perfect location for nefarious activities. This VPN exploit has the potential to impact operations due to the probability of life-saving technology being unavailable during an attack.
Affected products / versions:
- Affects all supported versions of Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Ivanti Policy Secure Gateways
CVEs
- CVE-2023-46805
- CVE-2024-21887
KBs
- KB43892
- KB44755
Recommendations
Engineering recommendations:
- Import mitigation.release.20240107.1.xml file via the Ivanti download portal
- Run the external Integrity Checker Tool
- There are three primary ways to detect activity associated with a compromised Ivanti Connect Secure VPN appliance:
- Network Traffic Analysis: Examine anomalous traffic originating from their VPN appliances
- VPN Device Log Analysis: Monitor logs at System -> Log/Monitoring from the admin interface
- Using the Integrity Checker Tool: Once saved locally, the tool is run by uploading a package to the server and installing it as a Service Pack. The tool will then run and display its results on the screen. This includes whether any new or mismatched files are discovered.
Leadership / program recommendations:
- If you discover that your ICS VPN appliance is compromised, it is important to take immediate action
- You do not want to simply wipe and rebuild the ICS VPN appliance. Collecting logs, system snapshots, and forensics artifacts (memory and disk) from the devices is crucial
- Pivoting to analyzing internal systems and tracking potential lateral movement should be done as soon as possible
- Further, any credentials, secrets, or other sensitive data that may have been stored on the ICS VPN appliance should be considered compromised. This may warrant password resets, changing of secrets, and additional investigations.
- It is strongly recommended that organizations look for signs of lateral movement internally from their ICS VPN appliance that is not consistent with expected behavior from the device. Proactive checks of any externally facing infrastructure may also be warranted if internal visibility is limited.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Official Advisory: https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- CISA: https://www.cisa.gov/news-events/alerts/2024/01/10/ivanti-releases-security-update-connect-secure-and-policy-secure-gateways
- Integrity Checker Tool: https://forums.ivanti.com/s/article/KB44755?language=en_US
- Ivanti Download Portal: Product Software Access & Downloads | Ivanti
- KB mitigation: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- Volexity Github page: threat-intel/2024/2024-01-10 Ivanti Connect Secure/indicators/yara.yar at main · volexity/threat-intel · GitHub
- Volexity Report: https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/