Home / Threat Intelligence bulletins / Ivanti discloses zero-day vulnerabilities under active exploit

Target Industry

Targeted – sectors not disclosed.

Overview

Following the release on Monday 8th January 2024 of patches to remediate a critical remote code execution (RCE) vulnerability within its Endpoint Manager software, Ivanti, on 10th January 2024, disclosed two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Tracked as CVE-2023-46805 (CVSSv3.1 score 8.2) Authentication Bypass and CVE-2024-21887 (CVSSv3.1 score 9.1) Command Injection they combine to allow threat actors the unauthenticated ability to craft malicious requests and execute arbitrary commands.

Impact

Reports following investigations of impacted organisations have identified logging being disabled, unfettered access to, and lateral movement within, organisations, key logging, command execution, manipulation of configuration, remote file download, and credential theft.

Vulnerability Detection

Ivanti has stated that patches will be released in a staggered schedule with the first version targeted to be available to customers the week of 22nd January and the final version targeted to be available the week of 19th February. In the intervening time, Ivanti has released details of mitigation measures to help protect organisations from exploit. These instructions can be located here.

Ivanti does provide an integrated integrity checker tool for ICS components. However, attacks have noted tampering of the tool in order to evade detection. It is therefore NOT recommended that results from the integrated integrity checker be used as a detection mechanism.

Affected Products

Ivanti ICS 9.x, 22.x and Ivanti Policy Secure

Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure

Indicators of Compromise

Indicators of Compromise (IoCs) have been publicly released by Ivanti, however, Ivanti states that IoCs will be shared with customers that have confirmed impact in order to assist customers in their forensics investigation.

Some IP addresses and hostnames, along with YARA rules for detection of some of the malicious implants have been released by investigating organisations. Released IP addresses include:

206.189.208[.]156

gpoaccess[.]com

webb-institute[.]com

symantke[.]com

75.145.243[.]85

47.207.9[.]89

98.160.48[.]170

173.220.106[.]166

73.128.178[.]221

50.243.177[.]161

50.213.208[.]89

64.24.179[.]210

75.145.224[.]109

50.215.39[.]49

71.127.149[.]194

173.53.43[.]7

Containment, Mitigations & Remediations

It is strongly recommended that organisations review their systems against the IoCs, and if detections are identified they should isolate the system, leaving it turned on, in order to facilitate the collection of forensic images and follow their incident response procedures to identify the impact and any persistence of mechanisms that the threat actor may have left behind. If no IoCs are identified, then organisations should implement the mitigations defined by Ivanti as soon as possible.

Threat Landscape

Some of the infrastructure used as part of the exploit has been tied back to an unidentified Chinese nation state threat actor. This means that existing compromises likely targeted currently are non-data destructive. However, following the disclosure of the vulnerabilities, the patch release cycle and the level of access that successful exploits facilitate, other actors are likely to follow very rapidly with their own targeting and objectives.

The disclosure of the previously reported CVE-2023-39336 emerged following the detection of state-sponsored operations compromising two zero-day flaws in Q3 2023 (CVE-2023-35078 and CVE-2023-35081). In that instance, the objective of the threat actor was to infiltrate the Norwegian government networks.

Ivanti products have been assessed to be attractive targets for sophisticated threat actor groups due to the potential for elevated access to high-profile government and private sector networks. As such, it is crucial that users of Ivanti products apply the relevant security updates as a matter of urgency.

Threat Actor

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0002 – Execution

T1608.001– Stage Capabilities: Upload Malware

T1056.001 – Input Capture: Keylogging

TA0006 – Credential Access

TA0005 – Defence Evasion

TA0008 – Lateral Movement

Further Information

Ivanti Support

Ivanti Advisory

Ivanti Blog