An investigation by Ivanti has verified the issues, the company said, and it is working to release patches and mitigations. Hackers can exploit two newly found flaws to take over affected systems, warned the Cybersecurity and Infrastructure Security Agency (CISA). Threat actors have also been exploiting flaws to steal credentials or drop webshells that set them up to conduct further compromises.
CISA has ordered federal civilian executive branch agencies to disconnect all the effected Ivanti solutions from their networks. It has also told agencies to search and monitor for potential malicious activity related to the vulnerabilities and apply upgrades, among other response efforts. And while CISA cannot extend its emergency order to all users, the federal cybersecurity agency said it “strongly encourages all organizations” to review that guidance and follow the parts relevant to them.
The issues specifically affect Ivanti Connect Secure and Policy Secure gateways. Ivanti Connect Secure is a VPN to help remote users connect to their organization’s resources. Policy Secure is a network access control solution.
There are things users can do to mitigate related risks. Ivanti has announced that a relevant patch is available. The company also provided mitigations for those awaiting patches. Ivanti also recommended doing a factory reset before applying a patch.
CISA, meanwhile, also advised organizations running at-risk Ivanti products to conduct continuous threat hunting. They should also keep threat hunting even after patches, to potentially catch pre-existing compromises. Organizations should also monitor any account usage, authentication and identity management services that may have been exposed to impacted devices and isolate them from other systems and assets, if they can.
The cybersecurity company Volexity — which actually reported signs of suspicious activity from a customer’s Ivanti Connect Secure VPN appliance in early December 2023 — has determined that hackers were exploiting two zero days now known as CVE-2023-46805 and CVE-2024-21887. The former is an authentication bypass vulnerability and the latter is a command injection vulnerability.
Hackers attacking the Volexity customer also deployed malware to steal credentials, which they then used to move between systems. The attackers compromised additional user credentials in each newly breached system.
Volexity noted that these events indicate a cyber attack trend:
“Internet-accessible systems, especially critical devices like VPN appliances and firewalls, have once again become a favorite target of attackers. These systems often sit on critical parts of the network, cannot run traditional security software, and typically sit at the perfect place for an attacker to operate. Organizations need to make sure they have a strategy in place to be able to monitor activity from these devices and quickly respond if something unexpected occurs.”
Google-owned cybersecurity company Mandiant says it cannot yet identify a threat actor, but suspects the attackers intended to linger on systems long term and conduct espionage. Mandiant believes “with moderate confidence” that the attackers may be based in China.
Finally, Ivanti predicts that there will be a “sharp increase” in attackers exploiting some of the issues now that vulnerability info is public.
