Defensive Recommendations for Ivanti VPN Vulnerabilities

Initially, Ivanti disclosed two critical vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in Ivanti Connect Secure (ICS) VPN, formerly Pulse Connect Secure, and Ivanti Policy Secure gateways. These vulnerabilities used together enable unauthenticated remote code execution, CVE-2023-46805 allows for authentication bypass, while CVE-2024-21887 facilitates command injection in web components. However, CISA on January 31, 2024 warned of two additional vulnerabilities CVE-2024-21888 a privilege escalation vulnerability in web component of Ivanti Connect Secure and CVE-2024-21893 a server-side request forgery vulnerability in the SAML component in the Connect Secure VPN product. Of the new vulnerabilities CISA warns of active exploitation on CVE-2024-21893.

Investigations conducted by Mandiant and Volexity have revealed adversarial behaviors following the exploitation of these vulnerabilities. The earliest signs of exploitation are reported by both security firms to have occurred since December 2023. Mandiant identifies the threat actor as UNC5221, and Volexity tags them as UTA0178. Mandiant attributes the threat actor to be associated with an APT campaign focused on espionage. Volexity's attribution suspects the actor to be linked to Chinese nation-state interests. This threat actor adeptly exploited vulnerabilities to execute commands, steal data, and maintain persistent network access, demonstrating their ability to exploit zero-day vulnerabilities and target edge devices effectively.

Volexity's findings the threat actors demonstrated a blend of "living off the land" tactics and deployment of specialized malware, primarily focusing on credential harvesting and lateral movement within networks. Once they gained access through the ICS VPN appliance, their strategy involved using compromised credentials to access various systems, further compromising user credentials on each new system. They employed techniques such as utilizing Task Manager to dump the LSASS process memory, thereby extracting credentials for offline analysis. Additionally, they accessed and exploited Virtual Hard Disk backups, including domain controller backups, to extract sensitive Active Directory databases. The attackers also manipulated JavaScript on the Web SSL VPN login page to capture login credentials. Beyond these activities, their operations included reconnaissance within the network, assessing user files and system configurations, and deploying webshells for persistent access and command execution.

Mandiant's analysis identified five malware families linked to UNC5221's exploitation of ICS VPN devices: ZIPLINE, a passive backdoor; THINSPOOL, a shell script dropper; LIGHTWIRE and WIREFIRE web shells; and WARPWIRE, a Javascript credential harvester. These tools facilitated authentication bypass, backdoor access, and credential capture for expanded network exploitation. "The LIGHTWIRE and WIREFIRE web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances. This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high-priority targets that it compromised after a patch was inevitably released," Mandiant explains.

Both Mandiant and Volexity recommend immediate application of Ivanti's mitigations and comprehensive system analysis for breach indications. The extensive use of compromised appliances for command and control, coupled with sophisticated malware, highlights the grave nature of these vulnerabilities and the capabilities of the threat actors involved. A scan initiated by Volexity on January 16, 2024, discovered an "additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the count of systems with the webshell to over 2,100. Volexity’s investigations also determined that in multiple breaches, attackers have been stealing configuration data, web logs, and database files associated with accounts, session data, and more from Ivanti Connect Secure VPN appliances."

It is also crucial organizations understand the proper order to apply mitigations. Volexity shares, they have identified several instances in which organizations that had recently deployed Ivanti Connect Secure VPN appliances and initially applied mitigation measures subsequently experienced re-compromises. "It turns out these organizations had first applied the mitigation to protect the Ivanti Connect Secure VPN appliance, and then imported previous backup configuration files. In doing so, it appears the backup configuration negates or otherwise removes the mitigation that was put in place," Volexity explains.

Ivanti customers are strongly advised to maintain vigilance and closely monitor their network activities, with a particular focus on ICS VPN appliances. Ivanti had released an internal integrity checker (ICT) as a security measure. However, both Ivanti and Volexity have issued warnings regarding "evidence of threat actors attempting to manipulate" this tool. Expanding on this, Volexity explains that the threat actor's alterations "would result in the in-built Integrity Checker Tool always reporting that there were no new or mismatched files regardless of how many were identified. Administrative review of system logs would show no issues of concern." For affected organizations, the most advisable course of action is to promptly patch their devices when available.