On January 10, 2024, Ivanti disclosed two zero day vulnerabilities in Ivanti Connect Secure VPN and Policy Secure NAC appliances that have been actively exploited since December. The vulnerabilities were identified by security researchers at Volexity. According to the researchers, the vulnerabilities were exploited to deliver custom malware tools for espionage purposes. At the time, Ivanti said only a small number of customers had been targeted.
The Ivanti Connect Secure vulnerabilities are tracked as CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 is a high-severity authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure and allows an unauthenticated remote attacker to bypass security controls and access restricted resources. The vulnerability has a CVSS v3.1 score of 8.2. The second vulnerability is a critical command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. The flaw allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. The vulnerability has a CVSS v 3.1 score of 9.1.
Ivanti said it is essential to take immediate action to mitigate these vulnerabilities. Patches will be rolled out this month in a staggered schedule, with the first patch due to be released in the week of January 22, 2024. The final version is due for release in the week of February 19, 2024. In the meantime, Ivanti has suggested a workaround that can be applied to prevent exploitation of the vulnerabilities.
Mandiant has been investigating the attacks and has attributed them to a threat actor tracked as UNC5221. After exploiting the vulnerabilities, several post-compromise tools were delivered including a backdoor, dropper, PySoxy tunneler, credential harvesting tool, and two webshells. The attacks appear to have been conducted by an Advanced Persistent Threat (APT) actor for espionage purposes. While Mandiant has not attributed these attacks to any nation-state hacking group, Volexity has found some evidence that suggests the attacks are being conducted by a Chinese-state-sponsored threat actor.
Users of the affected products are now at even greater risk as the vulnerabilities are now being mass exploited, and have been since January 11, 2023, a day after Ivanti publicly disclosed the vulnerabilities. Initially, an APT actor was attacking high-value targets, but now that several different threat groups are exploiting the vulnerabilities, all users of the affected products are at risk. Attacks have been conducted across multiple industry verticals, from small businesses to Fortune 500 firms. According to Ivanti, more than 1,700 ICS VPN appliances had been indiscriminately attacked and have had a GIFFEDVISITOR webshell deployed.
Any user of the affected products should apply the workaround immediately to prevent exploitation of the flaw.