Varonis Threat Labs has seen a recent surge in threat actor activity targeting Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure VPN gateways.
The incidents involve chaining two vulnerabilities — CVE-2023-46805, an authentication bypass, and CVE-2024-21887, a command injection vulnerability — that lead to threat actors gaining the ability to remotely execute arbitrary commands.
Details of these vulnerabilities were publicly disclosed on January 10, 2024, and were quickly followed by the release of proof-of-concept (POC) code (POC 1, POC 2) as exploit modules for the popular Metasploit attack framework.
Initial reports indicate that a threat actor began exploiting targets as early as December 2023, with increased activity continuing as more cybercriminals incorporate these exploits and techniques into their attack toolsets.
This information, coupled with a recent Shodan query that indicates that nearly thirty thousand appliances might be online, underscores the need for organizations to ensure they are adequately prepared for and protected from today’s cyber threats.
Shodan query for potential Ivanti deployments
Today’s threat landscape
Initial incidents involving the Ivanti vulnerabilities were attributed to a suspected Chinese-nexus threat actor known as ‘UTA0178’ and ‘UNC5221,’ along with recent activity being linked to a financially motivated threat actor dubbed ‘Magnet Goblin’ by Check Point.
Amongst the worldwide reports of organizations being targeted and compromised by various threat actors, the United States Cybersecurity and Infrastructure Security Agency (CISA) recently confirmed that it had identified malicious activity arising from the compromise of its own Ivanti products.
The CISA incident details are somewhat vague currently, but it is understood that threat actors have stolen credentials from compromised appliances and deployed webshells and reverse shells to gain and maintain persistence.
We continue to see threat actors using data exfiltration in the current threat landscape that are motivated by espionage and financial gain. Those motivated by financial gains often engage in ransomware and data extortion campaigns that quickly leverage emerging exploits to gain access to an organization’s data assets.
Regardless of who is responsible or what their motivations are, organizations should continue to act promptly, minimizing the window of exposure between vulnerability disclosure and remediation.
CVE-2023-46805
The attack chain commences with the exploitation of CVE-2023-46805, a high-severity authentication bypass vulnerability with a CVSSv3 base score of 8.2, affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x.
As demonstrated in the publicly available Metasploit module, a target appliance can be queried on a specific API endpoint to determine its vulnerability based on the HTTP response. If vulnerable, the API endpoint can be manipulated to traverse the directory structure and access a sensitive endpoint for further exploitation.
CVE-2024-21887
Following the authentication bypass, CVE-2024-21887 — a critical severity command injection vulnerability with a CVSSv3 base score of 9.1 — sends specially crafted requests that execute arbitrary commands on the affected appliance.
Without CVE-2023-46085, exploitation of this vulnerability would require authentication as an administrator, hence the severity when chained with the authentication bypass.
Based on a secondary public Metasploit module, this vulnerability arises from using the XMLTooling library that can be exploited with a Server-Side Request Forgery (SSRF).
Recommendations
In addition to assuming that a vulnerable device may have already been compromised, including the potential for rootkit-level persistence, CISA encourages organizations to believe that user and service account credentials within the affected appliance are also compromised.
In the first instance, organizations utilizing potentially vulnerable appliances should review both the updated Ivanti article and the Recovery Steps article for details of available patches, mitigations, and recovery steps, along with their Integrity Checker Tool (ICT).
When considering the use of Ivanti’s ICT, both Ivanti themselves and multiple national cybersecurity teams warn that the tool provides a point-in-time snapshot of the affected appliance and, as such, may not detect threats if the threat actor has restored it to a clean state.
Furthermore, it is recommended that organizations utilize Ivanti’s external ICT to avoid any malicious manipulation of results alongside continuous monitoring.
At Varonis, our Managed Detection and Response (MDDR) team helps mitigate complex threats to your most valuable asset: data.
We protect your business from material data breaches with 24x7x365 incident response, alert monitoring, and security posture management from Varonis data security experts.
Learn more about Varonis MDDR and schedule a quick demo with our team to reduce your risks without taking any.
