Ivanti, a US-based cybersecurity provider, focuses on providing customers with secure Internet communications anywhere in the world. But with a clientel that includes Fortune 500 companies from across the world and the US federal government, their products have become the target of sophisticated attacks by advanced persistent threats. On January 10, 2024, Ivanti announced two vulnerabilities in their Ivanti Connect Secure(CS) VPN (formerly called Pulse Secure) and Ivanti Policy Secure (PS) appliances. Throughout January, numerous incident response organizations, including Mandiant and Volexity, have stepped up to the plate to investigate what happened, who did it, and provide recommendations on what to do about the issue.
Post Contents:
What Happened?
The two vulnerabilities that security researchers have identified in the Ivanti CS VPN and PS appliances are titled CVE-2023-46805 and CVE-2024-21887. The first, consists of authentication bypass processes and the second results in privileged command injection, allowing an attacker to pass arbitrary commands on impacted devices with elevated privileges. Simply put, using these two vulnerabilities allowed the threat actors involved to get through the authentication process of the VPN and PS appliances and achieve the ability to access information they were not privileged to access. The attackers did this by using a trojan horse (this being an executable file disguised as a normal system file) that once referenced exploited the vulnerabilities at hand. Further, they established persistence through a malware backdoor that enabled attackers to continue exploitation once security professionals patched entry points.
Attacks like this on what should be very secure VPN connections and appliances pose great risk to affected organizations. A VPN, for example, is designed to provide secure site-to-site or point-to-site connection to organizational resources. Without the VPN, users would not have access to these organizational resources. Essentially, the company depends upon these encrypted tunnels to protect private data transmission over the open internet, improving the availability of their network to remote workers or those working off-site. An attacker who effectively compromises these secure communication tunnels is then able to move around the network more effortlessly, or worse, exfiltrate senstive data and leverage it in some way.
From the perspective of a network or security administrator, this is a very difficult attack to recover from. One that will take a great deal of time and resources to fix. Not only will they need to be sure that new VPN tunnels are set up and security appliances purchased, but they will also need to figure out what information became exposed and to what extent data was lost.
What Was Exposed?
As of January 11, 2024, Ivanti declared that less than 10 of their customrs were affected by this attack. However, as security researchers and incident response handlers have investigated the issue, the more alarming number of over 1,700 compromised devices has customers concerned. Sensitive data for small business, Fortune 500 companies, governments across the globe, and large communications companies has been exposed, though the specifics of what were taken is still largely under wraps.
Who Did It?
After a month of investigation, Mandiant declares with “moderate confidence that UNC5221 is a Chinese-nexus espionage threat actor” targeting many as a means to promote the interests of the Peaple’s Republic of China (PRC). Security researchers attribute the Tools, Tactics, and Procedures (TTPs) to be those indicative of advanced persistant threats common to Chinese origin. While Mandiant is unable to confirm that the PRC had direct involvement in the attacks, the TTPs used in the Ivanti attack coincide with the extensive espionage campaign that many advanced hackers from China have partaken in.
What to Do Next?
- The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for the halted usage of these products in the federal government.
- Ivanti has released the first round of patches for their Connect Secure VPN and Policy Secure appliances. These patches have been made available at Ivanti’s website.
- In conjunction with Mandiant and Volexity, Ivanti published mitigation protocols to enact while further patches are developed.
- Ivanti has advised that affected devices be factory reset prior to patching and enacting mitigation steps so as to eliminate persistence.
- To help organizations running Ivanti products discover if they have been affected by these exploits, Ivanti published an internal Integrity Checker Tool (ICT) to observe discrepencies in the source code of their products. If this tool comes back with no results, customers should also run the third-party ICT developed by Mandiant and Volexity and observe results. Ivanti has also asked that results be shared with them for further analysis and investigation.
- Both on-device and user access passwords affiliated with the Ivanti products should be reset. Administrators should also observe their EDR telemetry and firewall logs for traffic to any one of the credential harvester C2 servers listed on Mandiant’s website.
Additional Resources:
https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation