Ivanti VPN under widespread attack
Mitigate now, company warns
Two vulnerabilities in a widely used VPN are being actively exploited by several threat actors.
Ivanti Connect Secure (ICS, formerly Pulse Secure Connect Secure) is a SSL-based VPN solution used by organisations to provide remote secure access to internal networks and resources.
ICS has been the target of a suspected Chinese state-sponsored group UTA0178 in recent weeks, but other actors now also have access to the exploits and are rushing to make use of them, according to security company Volexity.
In a blog post, Volexity says that two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) are being actively exploited to compromise ICS VPN appliances.
"Exploitation of these vulnerabilities is now widespread. Volexity has been able to find evidence of compromise of over 1,700 devices worldwide." researchers at the company wrote.
Last week, Ivanti published a workaround to prevent exploitation of these vulnerabilities while a patch is being developed. IT advised users to run its external integrity checker to test for a breach, since attackers have been observed trying to compromise the internal version. Passwords and secret keys should be treated as compromised and changed if a breach is detected.
Patches for the vulnerabilities should become available from 22nd January, according to Ivanti's website. Until that time, it is urging customers to take the recommended mitigating measures.
CVE-2023-46805 is an authentication bypass bug that allows remote unauthenticated attackers to access restricted VPN endpoints; CVE-2024-21887 is a command injection flaw that allows remote unauthenticated attackers to execute arbitrary operating system commands.
The two bugs can be chained together to fully compromise vulnerable VPN appliances, according to Volexity. This leaves the attacker free to install backdoors, exfiltrate data or conduct further attacks on the internal network.
The first compromise of ICS was observed on 3rd December, with the frequency of attacks increasing markedly after that.
Volexity identified government and military departments, telecoms, defence contractors, and technology and banking companies as among those compromised.
Analysis of compromised devices showed they had been backdoored with a variant of the GIFTEDVISITOR webshell, with modifications to this backdoor observed over time.
In July 2023, a flaw in Ivanti's Endpoint Manager Mobile (EPMM) software was used to attack agencies of the Norwegian government, among other targets. That attack was later attributed to the Russia-linked hacktivist group Killnet.