Defensive Recommendations for Ivanti VPN Vulnerabilities
Initially, Ivanti disclosed two critical vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in Ivanti Connect Secure (ICS) VPN, formerly Pulse Connect Secure, and Ivanti Policy Secure gateways. These vulnerabilities used together enable unauthenticated remote code execution, CVE-2023-46805 allows for authentication bypass, while CVE-2024-21887 facilitates command injection in web components. However, CISA on January 31, 2024 warned of two additional vulnerabilities CVE-2024-21888 a privilege escalation vulnerability in web component of Ivanti Connect Secure and CVE-2024-21893 a server-side request forgery vulnerability in the SAML component in the Connect Secure VPN product. Of the new vulnerabilities CISA warns of active exploitation on CVE-2024-21893.
Investigations conducted by Mandiant and Volexity have revealed adversarial behaviors following the exploitation of these vulnerabilities. The earliest signs of exploitation are reported by both security firms to have occurred since December 2023. Mandiant identifies the threat actor as UNC5221, and Volexity tags them as UTA0178. Mandiant attributes the threat actor to be associated with an APT campaign focused on espionage. Volexity's attribution suspects the actor to be linked to Chinese nation-state interests. This threat actor adeptly exploited vulnerabilities to execute commands, steal data, and maintain persistent network access, demonstrating their ability to exploit zero-day vulnerabilities and target edge devices effectively.
Both Mandiant and Volexity recommend immediate application of Ivanti's mitigations and comprehensive system analysis for breach indications. The extensive use of compromised appliances for command and control, coupled with sophisticated malware, highlights the grave nature of these vulnerabilities and the capabilities of the threat actors involved. A scan initiated by Volexity on January 16, 2024, discovered an "additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the count of systems with the webshell to over 2,100. Volexity’s investigations also determined that in multiple breaches, attackers have been stealing configuration data, web logs, and database files associated with accounts, session data, and more from Ivanti Connect Secure VPN appliances."
It is also crucial organizations understand the proper order to apply mitigations. Volexity shares, they have identified several instances in which organizations that had recently deployed Ivanti Connect Secure VPN appliances and initially applied mitigation measures subsequently experienced re-compromises. "It turns out these organizations had first applied the mitigation to protect the Ivanti Connect Secure VPN appliance, and then imported previous backup configuration files. In doing so, it appears the backup configuration negates or otherwise removes the mitigation that was put in place," Volexity explains.
Ivanti customers are strongly advised to maintain vigilance and closely monitor their network activities, with a particular focus on ICS VPN appliances. Ivanti had released an internal integrity checker (ICT) as a security measure. However, both Ivanti and Volexity have issued warnings regarding "evidence of threat actors attempting to manipulate" this tool. Expanding on this, Volexity explains that the threat actor's alterations "would result in the in-built Integrity Checker Tool always reporting that there were no new or mismatched files regardless of how many were identified. Administrative review of system logs would show no issues of concern." For affected organizations, the most advisable course of action is to promptly patch their devices when available.