Flash Notices

Flash Notice: UPDATE - Ivanti Zero Days Exploited by Chinese Threat Actors

Written by Marketing | Jan 12, 2024 3:40:11 PM

UPDATE (1/18/2024) -

Last week, we reported on zero-day vulnerabilities affecting Ivanti’s Connect Secure VPN and Policy Secure network access control appliances. This week, it is being reported that the vulnerabilities are under massive exploitation. The attackers use a GIFTEDVISITOR webshell variant to backdoor their targets' systems. The victims include government and military departments, national telecommunications companies, defense contractors, technology companies, banking, finance, accounting organizations, consulting outfits, and aerospace, aviation, and engineering firms. 

List of tools used in current attacks:  

  • Zipline Passive Backdoor 
  • Thinspool Dropper 
  • Wirefire web shell 
  • Lightwire web shell 
  • Warpwire harvester 
  • PySoxy tunneler 
  • BusyBox 
  • Thinspool utility (sessionserver.pl) 

While Ivanti is yet to release patches for the zero-days, the attacks have escalated, involving multiple threat groups. The suspected Chinese state-backed threat actor (tracked as UTA0178 or UNC5221) has been joined by other threat groups. 

Avertium’s Recommendations 

overview

Chinese threat actors are targeting Ivanti's widely used VPN appliance, Ivanti Connect Secure (ICS). The associated vulnerabilities are tracked as CVE-2023-46805 and CVE-2024-21887 and allow threat actors to bypass two-factor authentication, as well as execute malicious code within targeted networks.  

Similar to Ivanti’s Avalanche vulnerabilities, these current flaws could have far-reaching consequences for organizations relying on Ivanti solutions. The threat actors, suspected to be a Chinese nation-state-level threat actor known as UTA0178, have exploited CVE-2023-46805 and CVE-2024-21887 by not only bypassing authentication but also by executing arbitrary commands - potentially leading to network compromises. Researchers from Volexity stated that the threat actors backdoored the infected network by installing a web shell interface on Internet-facing web servers before hiding their tracks from investigators. 

CVE-2023-46805 has a CVSS score of 8.2 and is described by Ivanti as an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. It allows a remote attacker to access restricted resources by bypassing control checks. 

CVE-2024-21887 has a CVSS score of 9.1 and is described by Ivanti as a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. The vulnerability allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. 

Organizations using Ivanti Connect Secure should follow Ivanti’s mitigation guidance and implement the recommendations immediately while Ivanti continues to work on developing patches for the zero-days. Patches are expected to be released in a staggered schedule, with the first version being released during the week of January 22 and the final version during the week of February 19. 

 

 

avertium's recommendationS

Avertium recommends following Ivanti’s mitigation guidance for CVE-2023-46805 and CVE-2024-21887.  
  • Organizations can read Ivanti’s KB Article for steps on how to apply the mitigations.  
  • Follow Ivanti’s advisory to receive updates on patching and other guidance.  

 

 

INDICATORS OF COMPROMISE (IoCs)

IPV4 

  • 206.189.208[.]156 
  • 98.160.48[.]170 
  • 50.213.208[.]89 
  • 47.207.9[.]89 
  • 173.220.106[.]166 
  • 75.145.243[.]85 
  • 75.145.224[.]109 
  • 50.215.39[.]49 
  • 73.128.178[.]221 
  • 50.243.177[.]161 
  • 64.24.179[.]210 
  • 71.127.149[.]194 
  • 173.53.43[.]7 

Domains 

  • Symantke[.]com 
  • Sessionserver[.]sh 
  • Sessionserver[.]pl 
  • webb-institute[.]com 
  • gpoaccess[.]com 
  • dslogconfig[.]pm 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDRis the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    •  Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan). 
  • We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 





 

SUPPORTING DOCUMENTATION

CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways 

KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways 

Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity 

Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks | Ars Technica 

Ivanti warns of Connect Secure zero-days exploited in attacks (bleepingcomputer.com) 

Ivanti Connect Secure zero-days now under mass exploitation (bleepingcomputer.com)