State-sponsored hackers have exploited two Ivanti zero-days to compromise over 1,700 ICS VPN appliances, cybersecurity firm Volexity has found.
Ivanti disclosed the two zero-day vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887 on January 10. They affect the Connect Secure and Policy Secure gateways. CVE-2023-46805 (CVSS v3 8.2) is an authentication bypass vulnerability in the web component (Ivanti Connect Secure 9.x, 22.x), while CVE-2024-21887 (CVSS v3 9.1) is a critical command injection vulnerability affecting the same.
When chained, a threat actor could exploit the vulnerabilities to bypass multi-factor authentication and perform unauthenticated remote code execution (RCE).
“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” Volexity explained in a comprehensive blog post.
Chinese hackers exploit zero-days on Ivanti VPN appliances
Volexity discovered exploitation of the critical security flaws after detecting lateral movement using the Network Security Monitoring service on a compromised customer. Upon further investigation, the cybersecurity firm detected the installation of web shells on several local and internet-facing servers.
The researchers also detected suspicious activity, such as log deletion and suspicious “communication from its management IP address.”
They traced the activity to the Ivanti Connect Secure (ICS) VPN appliance (formerly Pulse Connect Secure or Pulse Secure).
“In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” noted the researchers.
Additionally, the threat actor modified the VPN appliances to evade the ICS Integrity Checker Tool by creating backdoors on the legitimate CGI file (compcheckresult.cgi) to allow command execution. They also modified a JavaScript file on Web SSL VPN to enable keylogging, collect login credentials, and access other system components.
Volexity attributed the exploitation of Ivanti ICS zero-days to a suspected Chinese state-linked threat actor, UTA0178. Evidence also shows that other threat actors besides UTA0178 are preparing to exploit ICS zero-days.
“In addition to the discovery of widespread exploitation undertaken by UTA0178, analysis of logs from various ICS VPN appliances showed likely attempted exploitation by other threat actors, with noticeably poorer operational security than UTA0178,” Volexity warned.
According to John Gallagher, Vice President of Viakoo Labs at Viakoo, the exploitation of Ivanti zero-days CVE-2023-46805 and CVE-2024-21887 demonstrated “how quickly the efforts of one threat actor group can be replicated and extended by others, leading to the exponential growth of attacks in the last few days.”
Ivanti is working on security patches, which are expected to reach the public on January 22 and February 19, 2024.
Meanwhile, customers can secure their Ivanti VPN appliances by applying recommended mitigations in the form of a downloadable XML file and running an internal and external Integrity Checker tool to detect system tampering.
However, a threat actor’s presence is undetectable if they have cleaned or restored the VPN appliance to its original state after gaining access.
Similarly, the mitigations would not resolve past compromises, and ICS users must independently conduct in-house threat hunting to dislodge the threat actor from their networks.
“The attacker exploits two simple application layer vulnerabilities,” lamented Jeff Williams, co-founder and CTO at Contrast Security. “Both have been part of the OWASP Top Ten for over 20 years.”
“So it’s disappointing to see these kinds of flaws still being created. Just another demonstration that all software needs runtime protection to prevent exploits in addition to strong application security testing and remediation programs,” added Williams.
Thousands of businesses compromised via vulnerable Ivanti VPN appliances
When Ivanti disclosed the ICS zero-days in January, less than 20 customers had been compromised. However, the victims list has grown spectacularly to include businesses of all sizes in various sectors, including government, telecommunications, defense, technology, finance, aerospace, and consulting.
“Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” noted Volexity.
By January 14, 2024, threat actors had exploited Ivanti zero-days to install GiftedVisitor web shells on over 1,700 Ivanti VPN appliances.
The researchers predicted more victims than reported because some infected VPN appliances were taken offline, while their scan methodology only detected unpatched devices.
“As a result, Volexity suspects there may likely be a higher number of compromised organizations than identified through its scanning.”
Describing the Ivanti zero-days as “ConnectAround,” security researcher Kevin Beaumont suggested up to 15,000 devices were impacted.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-46805 and CVE-2024-21887 to the Known Exploited Vulnerabilities Catalog and urged customers to apply recommended mitigations.
