Purpose
The purpose of this bulletin is to address two recently disclosed zero-day vulnerabilities present in Ivanti Connect Secure, formerly known as Pulse Connect Secure, and Ivanti Policy Secure Gateways. These vulnerabilities allow threat actors to bypass authentication in the web component of the affected Ivanti products (CVE-2023-46805), then to perform command injection (CVE-2024-21887).
Exploitation of these vulnerabilities would enable an unauthenticated attacker to compromise internet-facing devices leading to initial access into internal networks.
As these products are used as Virtual Private Networks (VPNs) to connect remotely into organisations, they are likely to be exposed to the internet and present a high-value target for threat actors.
These vulnerabilities affect all supported versions of both products (versions 9.x and 22.x).
The Triskele Labs team advises that all organisations using this system should patch immediately.
Ivanti, the software vendor, and Volexity, the organisation that discovered the flaws, have observed active exploitation of these vulnerabilities in the wild. Threat actors have used these vulnerabilities to gain initial access to internal networks, leading to data exfiltration.
As such, Triskele Labs recommends investigating any internet-facing Ivanti devices to look for Indicators of Compromise (IOCs). Currently known IOCs are listed at the end of this bulletin.
Details
In mid-December 2023, security firm Volexity investigated suspicious indicators within a client network. This led to the discovery of a compromise and the uncovering of two zero-day vulnerabilities having been exploited by a threat actor for initial access to the client network.
The vulnerabilities were tracked as CVE-2023-46805 (Authentication Bypass) and CVE-2024-21887 (Command Injection) and disclosed to the vendor, Ivanti, for a security patch to be released.
On 10 Jan 2024, Ivanti released an advisory along with a security patch to remediate these flaws.
According to the Ivanti advisory:
These vulnerabilities affect all supported versions of the Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure gateways. Specifically, this encapsulates versions 9.x and 22.x.
While individually these vulnerabilities pose a significant threat, collectively they can be used by an unauthenticated attacker to exploit devices exposed to the internet, such that the attacker gains remote access to the device and can execute commands.
This attack vector allows the malicious actor to be in such a position that they can then pivot internally and compromise organisation networks.
The criticality of this bulletin stems from the fact that the affected Ivanti appliances are actively used as VPNs to allow remote access to an internal network and, as such, are high-value targets for threat actors, as they are likely to provide access to internal networks from the internet once exploited.
Currently, Volexity attributes exploitation of these vulnerabilities to a threat group tracked as UTA0178 - a Chinese nation-state-level threat actor.
As such, attacks until now have been specifically targeted. However, now that these flaws are in the public domain, it is likely that threat actors focused on mass exploitation (such as ransomware groups) will create automated exploits for these vulnerabilities to affect the many organisations that utilise these products. Remediation of these flaws through patching is crucial.
Mitigation Actions
Triskele Labs recommends following the Ivanti remediation advice to install the relevant security patches as described here:
As these vulnerabilities are zero-days which have been exploited in-the-wild, Triskele Labs recommends investigating Ivanti products to look for IOCs.
The Volexity bulletin describes post-exploitation IOCs discovered during their investigation in the “Incident Investigation” section of the following blog post:
Specifically, organisations should check for the existence or modification of the following files/artefacts on Ivanti devices:
Several of the above files may be legitimate, however the threat actor was observed to have modified them for malicious purposes.
Modification of these files can be checked using the Ivanti Integrity Checking Tool, found here:
Please note that the Integrity Checker Tool will reboot the appliance, thereby overwriting memory. As such, if there are clear and obvious IOCs Triskele Labs recommends collecting memory artefacts first, then running the tool.
Volexity also observed the threat actor creating and executing several files in the following locations:
Organisations should check for the existence of these files, which may indicate compromise.
Further information about the malicious files discovered and the use of the Ivanti Integrity Checking Tool is available at the aforementioned Volexity blog post.
Detection Capabilities
Unfortunately, the exploits currently being used in-the-wild do not generate log entries on Ivanti devices, even with the Unauthenticated Request setting enabled.
This means it is not possible to tell from logs if the server has been exploited. As such, monitoring of logs for suspicious activity is not possible.
Triskele Labs DefenceShield customers with Monitor (our 24x7x365 Managed Detection and Response service) that we know are utilising Ivanti devices are being monitored closely, with analysts on high alert for suspicious activity.
If you would like to notify Triskele Labs of the use of Ivanti devices, or if you would like assistance with investigation of affected devices for post-compromise IOCs, please don’t hesitate to reach out.
References used for the generation of this release: