Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws
The Five Eyes Cybersecurity Agencies have issued a warning that previously disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways are being actively exploited by multiple threat actors and have been since early December 2023.
The flaws – CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 – affect all supported versions (9.x and 22.x) and can be chained to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. According to the alert, Ivanti’s internal and previous external Integrity Checker Tool (ICT) failed to detect malicious activity associated with exploitation. CISA demonstrated in a test environment that the ICT is not sufficient to detect compromise and that it is possible to gain root-level persistence despite issuing factory resets.
Alphabet’s Mandiant has been investigating the exploitation of the zero day vulnerabilities and said the exploitation had likely impacted thousands of devices across multiple industry verticals. Some of those attacks were linked with a suspected Chinese cyber espionage group it tracks as UNC5325. The threat actor used living-of-the-land techniques and novel malware to achieve persistence. Mandiant said the patches released by Ivanti are effective at preventing exploitation, provided UNC5325 did not exploit the vulnerability before the patches were applied. Mandiant said UNC5325 has maintained access even after customers have initiated factory resets, patching, and applying the recommended security updates.
The Five Eyes agencies recommend that network defenders assume that user and service account credentials stored in affected Ivanti VPN appliances are likely compromised and should hunt for malicious activity using the detection mechanisms and IoCs details in its alert, and should also run the latest version of Ivanti’s external ICT. If the vulnerabilities have yet to be patched, network defenders should ensure they are applied as soon as possible and should follow the recommendations detailed in the latest Ivanti security advisory. Ivanti has updated its security blog, which provides further information on its enhanced external integrity checking tool, and Mandiant recommends following the guidance provided in its updated Ivanti Connect Secure Hardening Guide.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Ivanti has disputed the findings of CISA, claiming that the method devised by CISA has not been seen in the wild to date and would not succeed in a production environment. “We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat. To be clear, 29 February advisory does not contain information on a new vulnerability, and Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti,” a spokesperson for Ivanti told the HIPAA Journal. “Ivanti, Mandiant, CISA and the other JCSA authoring organizations continue to recommend that defenders apply available patching guidance provided by Ivanti if they haven’t done so already, and run Ivanti’s updated Integrity Checker Tool (ICT), released on 27 February, to help detect known attack vectors, alongside continuous monitoring.”
