Today, Ivanti issued a warning regarding two additional Connect Secure zero-day exploits that are affecting Connect Secure, Policy Secure, and ZTA gateways. One of these vulnerabilities is a zero-day bug that is currently being actively exploited.
Ivanti Connect Secure zero-day Exploits
The zero-day vulnerability (CVE-2024-21893) identified is a server-side request forgery flaw in the SAML component of the gateways. This flaw enables unauthorized individuals to bypass authentication protocols and gain access to restricted resources on vulnerable devices.
Additionally, a separate vulnerability (CVE-2024-21888) has been discovered in the web component of the gateways. Exploiting this flaw allows malicious actors to elevate their privileges to that of an administrator.
“As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabilities. These vulnerabilities impact all supported versions – Version 9.x and 22.x,”
Ivanti said.
“We have no evidence of any customers being impacted by CVE-2024-21888 at this time. We are only aware of a small number of customers who have been impacted by CVE-2024-21893 at this time.”
“It is critical that you immediately take action to ensure you are fully protected,”
Ivanti warned in its advisory.
Ivanti has taken swift action to address both vulnerabilities by releasing security patches for certain affected versions of ZTA and Connect Secure. These patches mitigate the risks associated with the flaws.
Furthermore, for devices that are still awaiting a patch, Ivanti has provided detailed instructions on how to implement effective mitigation measures.
Patches for Two More Actively Exploited zero-day Flaws
In addition, Ivanti has recently released patches to address two other zero-day exploited flaws that were disclosed in early January. These vulnerabilities include an authentication bypass flaw (CVE-2023-46805) and a command injection flaw (CVE-2024-21887).
These zero-day vulnerabilities have been exploited in widespread attacks since January 11, with the intention of deploying malware on vulnerable ICS, IPS, and ZTA gateways.
To further protect against these attacks, Ivanti has also provided mitigation measures to block any attempts to exploit these vulnerabilities. Additionally, the company has shared recovery instructions to assist in restoring compromised devices and bringing them back online after an attack.
The Current Cybersecurity Landscape and Defenders’ Response
According to the threat monitoring platform Shadowserver, there are currently more than 24,700 Internet-exposed ICS VPN gateways being tracked. Out of these, over 7,200 are located in the United States. It is also worth noting that Shodan has identified over 22,000 Ivanti ICS VPNs that are publicly exposed online.
Shadowserver diligently monitors compromised Ivanti VPN instances on a daily basis. As of January 30, they have already discovered over 460 compromised devices. This highlights the urgency of the situation.
In response to the widespread exploitation of the CVE-2023-46805 and CVE-2024-21887 Ivanti zero-day vulnerabilities by multiple threat actors, the Cybersecurity and Infrastructure Security Agency (CISA) has issued the first emergency directive (ED 24-01) of 2024. This directive mandates federal agencies to swiftly mitigate these vulnerabilities to prevent further attacks.
The exploitation of the two chained zero-day vulnerabilities allows attackers to move laterally within the networks of their victims. This enables them to steal sensitive data and establish persistent access by deploying backdoors.
The list of identified victims is quite extensive, encompassing government and military organizations worldwide, national telecom companies, defense contractors, banking and finance institutions, accounting organizations, as well as aerospace, aviation, and technology firms.
These victims range in size, from small businesses to some of the largest multinational conglomerates, including multiple Fortune 500 companies across various industry sectors.
During the course of the extensive attacks, Mandiant has discovered the use of five custom malware strains. These malicious tools aid threat actors in stealing credentials, deploying webshells, and introducing additional harmful payloads.
The cybersecurity firms Volexity and GreyNoise have observed the deployment of XMRig cryptocurrency miners and Rust-based malware payloads on compromised systems of certain victims. This indicates that the attackers are not only focused on theft but also on leveraging compromised systems for cryptocurrency mining activities.
