Increased Threat Activity Targeting Ivanti Vulnerabilities

A recent surge in activity targeting Ivanti Connect Secure (ICS) involves chaining two vulnerabilities that give threat actors the ability to execute arbitrary commands remotely.
Jason Hill
2 min read
Last updated March 20, 2024
hand coming out of Invanti logo to symbolize threat actor

Varonis Threat Labs has seen a recent surge in threat actor activity targeting Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure VPN gateways.

The incidents involve chaining two vulnerabilities — CVE-2023-46805, an authentication bypass, and CVE-2024-21887, a command injection vulnerability — that lead to threat actors gaining the ability to remotely execute arbitrary commands.

Details of these vulnerabilities were publicly disclosed on January 10, 2024, and were quickly followed by the release of proof-of-concept (POC) code (POC 1, POC 2) as exploit modules for the popular Metasploit attack framework.

Initial reports indicate that a threat actor began exploiting targets as early as December 2023, with increased activity continuing as more cybercriminals incorporate these exploits and techniques into their attack toolsets.

This information, coupled with a recent Shodan query that indicates that nearly thirty thousand appliances might be online, underscores the need for organizations to ensure they are adequately prepared for and protected from today’s cyber threats.

Blog_VTL-Ivanti_InCopyImage_202403_FNL

Shodan query for potential Ivanti deployments

Today’s threat landscape

Initial incidents involving the Ivanti vulnerabilities were attributed to a suspected Chinese-nexus threat actor known as ‘UTA0178’ and ‘UNC5221,’ along with recent activity being linked to a financially motivated threat actor dubbed ‘Magnet Goblin’ by Check Point.

Amongst the worldwide reports of organizations being targeted and compromised by various threat actors, the United States Cybersecurity and Infrastructure Security Agency (CISA) recently confirmed that it had identified malicious activity arising from the compromise of its own Ivanti products.

The CISA incident details are somewhat vague currently, but it is understood that threat actors have stolen credentials from compromised appliances and deployed webshells and reverse shells to gain and maintain persistence.

We continue to see threat actors using data exfiltration in the current threat landscape that are motivated by espionage and financial gain. Those motivated by financial gains often engage in ransomware and data extortion campaigns that quickly leverage emerging exploits to gain access to an organization’s data assets.

Regardless of who is responsible or what their motivations are, organizations should continue to act promptly, minimizing the window of exposure between vulnerability disclosure and remediation.

CVE-2023-46805

The attack chain commences with the exploitation of CVE-2023-46805, a high-severity authentication bypass vulnerability with a CVSSv3 base score of 8.2, affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x.

As demonstrated in the publicly available Metasploit module, a target appliance can be queried on a specific API endpoint to determine its vulnerability based on the HTTP response. If vulnerable, the API endpoint can be manipulated to traverse the directory structure and access a sensitive endpoint for further exploitation.

CVE-2024-21887

Following the authentication bypass, CVE-2024-21887 — a critical severity command injection vulnerability with a CVSSv3 base score of 9.1 — sends specially crafted requests that execute arbitrary commands on the affected appliance.

Without CVE-2023-46085, exploitation of this vulnerability would require authentication as an administrator, hence the severity when chained with the authentication bypass.

Based on a secondary public Metasploit module, this vulnerability arises from using the XMLTooling library that can be exploited with a Server-Side Request Forgery (SSRF).

Recommendations

In addition to assuming that a vulnerable device may have already been compromised, including the potential for rootkit-level persistence, CISA encourages organizations to believe that user and service account credentials within the affected appliance are also compromised.

In the first instance, organizations utilizing potentially vulnerable appliances should review both the updated Ivanti article and the Recovery Steps article for details of available patches, mitigations, and recovery steps, along with their Integrity Checker Tool (ICT).

When considering the use of Ivanti’s ICT, both Ivanti themselves and multiple national cybersecurity teams warn that the tool provides a point-in-time snapshot of the affected appliance and, as such, may not detect threats if the threat actor has restored it to a clean state.

Furthermore, it is recommended that organizations utilize Ivanti’s external ICT to avoid any malicious manipulation of results alongside continuous monitoring.

At Varonis, our Managed Detection and Response (MDDR) team helps mitigate complex threats to your most valuable asset: data.

We protect your business from material data breaches with 24x7x365 incident response, alert monitoring, and security posture management from Varonis data security experts.

Learn more about Varonis MDDR and schedule a quick demo with our team to reduce your risks without taking any.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

rogue-shortcuts:-lnk'ing-to-badness
Rogue Shortcuts: LNK'ing to Badness
Learn how threat actors continue to manipulate Windows shortcut files (LNKs) as an exploit technique.
openssh-'regresshion'-rce-vulnerability
OpenSSH 'RegreSSHion' RCE Vulnerability
A critical vulnerability in OpenSSH's server, dubbed 'regreSSHion,' raises the risk of remote code execution with root privileges.
new-cves-in-openprinting-cups-software
New CVEs in OpenPrinting CUPS Software
A series of vulnerabilities in OpenPrinting CUPS Software indicates an attack vector for RCE, one of the worst possible consequences for a vulnerability.
the-logging-dead:-two-event-log-vulnerabilities-haunting-windows
The Logging Dead: Two Event Log Vulnerabilities Haunting Windows
You don’t have to use Internet Explorer for its legacy to have left you vulnerable to LogCrusher and OverLog, a pair of Windows vulnerabilities discovered by the Varonis Threat Labs team.