1,700 Ivanti VPN devices compromised. Are yours among them?
Over 1,700 Ivanti Connect Secure VPN devices worldwide have been compromised by attackers exploiting two zero-days with no patches currently available.
“Additional threat actors beyond UTA0178 appear to now have access to the exploit and are actively trying to exploit devices,” Volexity researchers claim.
Initial findings
Both Volexity and Ivanti revealed on January 10 that unknown attackers have been leveraging exploits for CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection vulnerability) to breach organizations and ultimately place webshells on their internal and external-facing web servers. The attacks have been going on since early December.
Organizations using Ivanti Connect Secure VPN devices were advised to implement temporary mitigations as soon as possible, check for evidence of compromise, and to boot attackers out of their systems in case they had been breached.
Soon after, Mandiant incident responders shared indicators of compromise for the custom malware used by the threat actors, which are tracked by Volexity under the alias UTA0178 and are believed to be China-sponsored hackers engaged in cyber espionage.
Over 1,700 compromised Ivanti VPN found globally
Volexity says that soon after they went public with the information, they began to detect evidence of widespread scanning by someone apparently familiar with the vulnerabilities, as well receiving reports from multiple organizations that noticed their devices had been compromised on January 11, 2024.
Those devices had been backdoored with a variant of the GIFTEDVISITOR webshell used in previously detected incidents.
The company then developed a new method of scanning for evidence of this webshell on Ivanti Connect Secure VPN devices appliances, and scanned roughly 30,000 ICS IP addresses.
“On Sunday, January 14, 2024, Volexity had identified over 1,700 ICS VPN appliances that were compromised with the GIFTEDVISITOR webshell. These appliances appear to have been indiscriminately targeted, with victims all over the world,” they noted.
“Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals.”
They believe these victims have been targeted by UTA0178, but have also found evidence of attempted exploitation by other threat actors, “with noticeably poorer operational security than UTA0178.” So, it seems, the exploits have been shared or other hacking groups have managed to create their own (just as security researchers have).
What to do?
Organizations that use Ivanti Connect Secure VPN devices and Ivanti’s Policy Secure NAC solution are still urged to implement the proffered mitigation release until patches are made available.
“However, applying mitigations and patches will not resolve past compromise. It is important that organizations running ICS VPN appliances review their logs, network telemetry, and Integrity Checker Tool results (past and present) to look for any signs of successful compromise,” Volexity researchers noted.
The company has provided a guide for responding to discovered compromise.
“Where Volexity has a known contact, national CERTs have been contacted in order to notify them of victims in their constituency,” they also said, but organizations should not count on being contacted and should do their own investigation to confirm or deny a breach.
Ivanti has also published up-to-date recovery guidance.
Rapid7 has released a thorough technical analysis of how the two vulnerabilities can be exploited.
UPDATE (January 19, 2024, 12:50 p.m. ET):
The two bugs are now also being exploited to deliver crypto-miners, GreyNoise has found.
Volexity has published some new observations about the attacks, and advice for organizations on how to avoid mistakes when deploying the mitigation provided by Ivanti (to prevent their appliances being compromised again).
UPDATE (January 22, 2024, 04:55 a.m. ET):
CISA has issued an emergency directive on January 19 (Friday), requiring US federal agencies to:
- Download and import Ivanti’s “mitigation.release.20240107.1.xml” into the affected product by 11:59 pm EST on Monday January 22, 2024
- Check whether their devices have been compromised
- Report indications of compromise to the agency
- Remove compromised products from agency networks
Apply updates that address the two vulnerabilities to the affected products as they become available and no later than 48 hours after Ivanti releases them.
“One week after the issuance of this Directive, report to CISA (using the provided template) a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including details on actions taken and results,” the directive instructs.