Action strongly recommended for utilities that use the affected versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways
What’s new:
- As anticipated, the exploitation of Ivanti Connect Secure has become widespread. Volexity has identified at least 1,700 devices over the weekend that have been compromised. Likewise, additional threat actors/groups have been observed exploiting the vulnerabilities.
- Victims vary from small businesses to very large organizations and impacted verticals include government, military installations, telecommunications, and more.
- Ivanti still expects to release patches on a rolling schedule between the weeks of January 22 – February 19, 2024.
- Volexity noted the use of an additional webshell – GIFTEDVISITOR – which appears to be a modified component within Connect Secure.
What to do:
- System and network administrators are highly encouraged to immediately apply the current workaround in Ivanti's security update.
- Run the Integrity Checker Tool provided by Ivanti.
- Given the potential for the deployment of webshells, administrators are encouraged to look for indicators of compromise identified by Volexity.
- If the Integrity Checker Tool does detect compromise, follow the “Responding to Compromise” section of Veloxity’s recent blog post.
- Volexity noted that adversaries have been observed wiping logs and/or disabling logging on target devices. Administrators should ensure logging is enabled.
NEW Related Resources
- Volexity Blog Post: Ivanti Connect Secure VPN Exploitation Goes Global
- BleepingComputer: Ivanti Connect Secure zero-days now under mass exploitation
- SANS Internet Storm Center: Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887)
January 11, 2024
What is the issue:
- Threat actors are actively exploiting two vulnerabilities (CVE-2023-46805 and CVE-2024-21887) affecting all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways.
- There are currently no patches available, but Ivanti has released a workaround to be applied immediately until the patches are available. Please visit Ivanti’s Security Advisory for mitigation instructions: CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Ivanti expects to release patches on a rolling schedule between the weeks of January 22 – February 19, 2024.
Why is this important:
- While exploitation is currently reported to be limited and there is no publicly available exploit code, the public (zero-day) vulnerability disclosure of a widely used network perimeter product prior to patches being available is likely to increase threat actors’ interest and attention.
- According to a December 2023 investigation by Volexity, the two vulnerabilities were chained to gain initial access, deploy webshells (GLASSTOKEN), backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.
- GLASSTOKEN was found on both internet-facing and internal assets.
- Background: Ivanti (formerly Pulse Secure Connect) VPN products have historically been the target of exploitation across various critical infrastructure entities, including water and wastewater. Prior WaterISAC reporting: Pulse Connect Secure (PCS) SSL VPN - Vulnerability Exploitation Activity - Updated July 22, 2021.
What to do:
- System and network administrators are highly encouraged to immediately apply the current workaround in Ivanti's security update.
- Given the potential for the deployment of webshells, administrators are encouraged to look for indicators of compromise identified by Volexity.
- Volexity noted that adversaries have been observed wiping logs and/or disabling logging on target devices. Administrators should ensure logging is enabled.
Related Resources
- CISA Alert: Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways
- CISA Alert: CISA Adds Two Known Exploited Vulnerabilities to Catalog
- Ivanti Advisory: CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Ivanti KB Article: KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Ivanti Blog Post: Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Volexity Blog: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
- Rapid7 Blog: Zero-Day Exploitation of Ivanti Connect Secure and Policy Secure Gateways
- Tenable Blog: CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways