Get in Touch
Chinese cyber forces exploiting Ivanti flaws to target US energy and defence sectors
Target Industry
The energy and defence industry sectors within the US.
Overview
Numerous Chinese state-aligned cyber units, one of which includes Volt Typhoon, have launched the offensive against three Ivanti vulnerabilities. The Cybersecurity & Infrastructure Security Agency (CISA), alongside several leading global cyber security agencies, has released warnings regarding the flaws – which are being tracked as CVE-2023-46805 (CVSSv3.1 score: 8.2), CVE-2024-21887 (CVSSv3.1 score: 9.1), and [CVE-2024-21893 (CVSSv3.1 score: 8.2) – in response to their widespread presence among worldwide government organisations.
Impact
The trio of vulnerabilities can be leveraged in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges, thus compromising the integrity of data in the first instance.
Vulnerability Detection
Ivanti has released security updates for these vulnerabilities regarding the affected product versions and, as such, previous versions are now vulnerable to potential exploitation.
Affected Products
The security flaws outlined within the bulletin impact all supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure gateways.
Containment, Mitigations & Remediations
It is strongly recommended that the following CISA-sanctioned mitigation strategies are implemented to limit the impact of exploitation:
- Limit outbound internet connections from SSL VPN appliances to restrict access to required services
- Ensure SSL VPN appliances are configured with Active Directory or LDAP authentication and use low-privilege accounts for the LDAP bind
- Limit SSL VPN connections to unprivileged accounts
- Maintain all operating systems, software, and firmware so it’s up to date
- Secure remote access tools
- Strictly limit the use of Remote Desktop Protocols (RDP) and other remote desktop services
- Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec
- Require all accounts with password logins to comply with NIST’s standards for developing and managing password policies.
Additionally, security patches for all three vulnerabilities are currently available.
Indicators of Compromise
A comprehensive list of validated Indicators of Compromise (IoCs) can be found within the CISA Advisory.
Threat Landscape
Ivanti occupies a significant portion of the mobile-device-management market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, related products will likely emerge as a prime target. Due to the fact that Ivanti products have become an integral aspect of business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein.
Threat Actor Profile
Volt Typhoon has been active since at least 2021 and primarily targets US government and defence organisations for intelligence-gathering purposes. The advanced persistent threat (APT) unit exploits vulnerable internet-facing servers to gain initial access and typically deploys a web shell for persistence. Volt Typhoon has demonstrated careful consideration for operational security such as the use of living-off-the-land binaries, defence evasion techniques, and compromised infrastructure to prevent detection and attribution of their intrusion activity, and to blend in with legitimate network activity.
We have assessed with moderate confidence that Volt Typhoon is operating on behalf of the People’s Republic of China (PRC), an assessment that is based on victimology that aligns with PRC intelligence requirements, and tradecraft overlap with other state-sponsored Chinese threat actors.
Mitre Methodologies
Common Weakness Enumeration Classifications
CVE-2023-46805: CWE-287 – Improper Authentication
CVE-2024-21887: CWE-77 – Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CVE-2024-21893: CWE-918 – Server-Side Request Forgery (SSRF)