Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887)

Two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Ivanti Connect Secure VPN devices are under active exploitation by unknown attackers, Volexity researchers have discovered.

Patches for these flaws are currently unavailable, but the risk of exploitation can be mitigated by importing mitigation.release.20240107.1.xml file via Ivanti’s download portal.

About the vulnerabilities (CVE-2023-46805, CVE-2024-21887)

The two security flaws affect all supported versions (v9.x and 22.x) of Ivanti Connect Secure (ICS) – formerly known as Pulse Connect Secure – and Ivanti Policy Secure (a network access control solution).

CVE-2023-46805 allows attackers to bypass authentication (including multi-factor authentication) and CVE-2024-21887 is a command injection vulnerability in the devices’ web component that allows authenticated attackers to send specially crafted requests and execute arbitrary commands on the appliance.

By exploiting the former, attackers are able to leverage an exploit for the latter without actually authenticating themselves to the target device.

About the attacks

“During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers,” the company shared on Wednesday.

A subsequent incident response investigation revealed that the attackers got in via the the organization’s internet-facing Ivanti Connect Secure appliance, whose logs had been wiped and on which logging had been disabled. (Suspicious activity originating from the device started on December 3, 2023.)

They found evidence of the attackers leveraging two zero-days in tandem.

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system. In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” Volexity incident responders shared.

“Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool. Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution.”

The attacker – whom Volexity believes to be a Chinese nation-state-level threat actor – “also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.”

In a knowledge base article published on Wednesday, Ivanti said that they are “aware of less than 10 customers impacted by the vulnerabilities.”

Security researcher Kevin Beaumont used Shodan to discover the number of potentially vulnerable internet-facing Ivanti devices, and it turns out there are over 15,000.

In the last couple of years, organizations have embraced a hybrid approach to work and VPN devices have become a necessity to allow employees to securely access enterprise assets. Since these devices are always connected to the internet, exploiting their vulnerabilities – whether zero-days or not – has become a favorite tactic of well-resourced threat actors.

Mitigation and remediation

“Patches for supported versions will be released in a staggered schedule with the first version targeted to be made available for customers the week of 22nd January, 2024. The last version is targeted to be made available the week of 19th February 2024. Instructions on how to upgrade to a supported version will also be provided,” Ivanti said.

In the meantime, the aforementioned mitigation release should be applied and all customers are advised to run the external ICS Integrity Checker Tool (that has been added).

Unfortunately, this action won’t “boot out” the attackers. Organizations must check whether their systems have been compromised and, if they have, discover the extent of the compromise. Volexity’s post outlines indicators of compromise they can use, as well as advice on remediation.

“If a customer finds evidence they may have been compromised, they should engage with a forensic provider,” Ivanti has noted.

UPDATE (January 12, 2024, 06:50 a.m. ET):

Mandiant suspects the attacks are part of an espionage-motivated APT campaign.

The company has shared indicators of compromise for the custom malware used by the threat actors – scripts, web shells, a credential harvester, and a passive backdoor – as well as YARA rules to help defenders detect them.

UPDATE (January 15, 2024, 05:00 a.m. ET):

Security researchers have already demonstrated proof-of-concept exploits for the two flaws, but have refrained from publishing them until Ivanti releases patches.

UPDATE (January 16, 2024, 10:40 a.m. ET):

Mass exploitation of the vulnerabilities is under way, 1,700 devices have been compromised.