Ivanti Users Face Urgent Security Threat from VPN Vulnerabilities

Ivanti disclosed two critical vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in Ivanti Connect Secure (ICS) VPN, formerly Pulse Connect Secure, and Ivanti Policy Secure gateways. These vulnerabilities used together enable unauthenticated remote code execution, CVE-2023-46805 allows for authentication bypass, while CVE-2024-21887 facilitates command injection in web components. In response, Ivanti issued a mitigation file and is developing patches. Customers are urged to apply these mitigations immediately and utilize the Ivanti Integrity Checker Tool (ICT) for detecting potential compromises. Patches are slated to be released during the week of January 22 and Ivanti notes "supported versions will be released in a staggered schedule," in their advisory.

Investigations conducted by Mandiant and Volexity have revealed active exploitation of these vulnerabilities, offering insights into adversary objectives and behaviors. Earliest signs of exploitation are reported by both security firms to have occurred since December 2023. Mandiant identifies the threat actor as UNC5221, and Volexity tags them as UTA0178. Mandiant attributes the threat actor to be associated with an APT campaign focused on espionage. Volexity's attribution suspects the actor to be linked to Chinese nation-state interests. This threat actor adeptly exploited vulnerabilities to execute commands, steal data, and maintain persistent network access, demonstrating their ability to exploit zero-day vulnerabilities and target edge devices effectively.

Volexity's findings the threat actors demonstrated a blend of "living off the land" tactics and deployment of specialized malware, primarily focusing on credential harvesting and lateral movement within networks. Once they gained access through the ICS VPN appliance, their strategy involved using compromised credentials to access various systems, further compromising user credentials on each new system. They employed techniques such as utilizing Task Manager to dump the LSASS process memory, thereby extracting credentials for offline analysis. Additionally, they accessed and exploited Virtual Hard Disk backups, including domain controller backups, to extract sensitive Active Directory databases. The attackers also manipulated JavaScript on the Web SSL VPN login page to capture login credentials. Beyond these activities, their operations included reconnaissance within the network, assessing user files and system configurations, and deploying webshells for persistent access and command execution. This approach underscores the sophistication and stealth of their infiltration and network exploration strategies.

Mandiant's analysis identified five malware families linked to UNC5221's exploitation of ICS VPN devices: ZIPLINE, a passive backdoor; THINSPOOL, a shell script dropper; LIGHTWIRE and WIREFIRE web shells; and WARPWIRE, a Javascript credential harvester. These tools facilitated authentication bypass, backdoor access, and credential capture for expanded network exploitation. "The LIGHTWIRE and WIREFIRE web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances. This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high-priority targets that it compromised after a patch was inevitably released," Mandiant explains.

Both Mandiant and Volexity recommend immediate application of Ivanti's mitigations and comprehensive system analysis for breach indications. The extensive use of compromised appliances for command and control, coupled with sophisticated malware, highlights the grave nature of these vulnerabilities and the capabilities of the threat actors involved. Adding to the severity, The Record reported over 1,700 devices globally exploited since Ivanti's public notification on January 10. Victims range from small businesses to Fortune 500 companies across various sectors.

Ivanti customers are strongly advised to maintain vigilance and closely monitor their network activities, with a particular focus on ICS VPN appliances. Initially, Ivanti released an internal integrity checker (ICT) as a security measure. However, both Ivanti and Volexity have issued warnings regarding "evidence of threat actors attempting to manipulate" this tool. Expanding on this, Volexity explains that the threat actor's alterations "would result in the in-built Integrity Checker Tool always reporting that there were no new or mismatched files regardless of how many were identified. Administrative review of system logs would show no issues of concern." For affected organizations, the most advisable course of action is to promptly patch their devices when available.