Cybersecurity
_ _ _ 0 Comments

Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks

The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.
Enlarge
Getty Images

Unknown threat actors are actively targeting two critical zero-day vulnerabilities that allow them to bypass two-factor authentication and execute malicious code inside networks that use a widely used virtual private network appliance sold by Ivanti, researchers said Wednesday.

Ivanti reported bare-bones details concerning the zero-days in posts published on Wednesday that urged customers to follow mitigation guidance immediately. Tracked as CVE-2023-846805 and CVE-2024-21887, they reside in Ivanti Connect Secure, a VPN appliance often abbreviated as ICS. Formerly known as Pulse Secure, the widely used VPN has harbored previous zero-days in recent years that came under widespread exploitation, in some cases to devastating effect.

Exploiters: Start your engines

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” researchers from security firm Volexity wrote in a post summarizing their investigative findings of an attack that hit a customer last month. “In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.” Researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster went on to write:

Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool. Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further, the attacker also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.

The researchers attributed the hacks to a threat actor tracked under the alias UTA0178, which they suspect is a Chinese nation-state-level threat actor.

Like other VPNs, the ICS sits at the edge of a protected network and acts as the gatekeeper that’s supposed to allow only authorized devices to connect remotely. That position and its always-on status make the appliance ideal for targeting when code-execution vulnerabilities in them are identified. So far, the zero-days appear to have been exploited in low numbers and only in highly targeted attacks, Volexity CEO Steven Adair said in an email. He went on to write:

However, there is a very good chance that could change. There will now be a potential race to compromise devices before mitigations are applied. It is also possible that the threat actor could share the exploit or that additional attackers will otherwise figure out the exploit. If you know the details—the exploit is quite trivial to pull off and it requires absolutely no authentication and can be done over the Internet. The entire purposes of these devices are to provide VPN access, so by nature they sit on the Internet and are accessible.

The threat landscape of 2023 was dominated by the active mass exploitation of a handful of high-impact vulnerabilities tracked under the names Citrix Bleed or designations including CVE-2022-47966, CVE-2023-34362 and CVE-2023-49103, which resided in the Citrix NetScaler Application Delivery Controller and NetScaler Gateway, the MOVEit file-transfer service, and 24 wares sold by Zoho-owned ManageEngine and ownCloud, respectively. Unless affected organizations move more quickly than they did last year to patch their networks, the latest vulnerabilities in the Ivanti appliances may receive the same treatment.

Researcher Kevin Beaumont, who proposed “Connect Around” as a moniker for tracking the zero-days, posted results from a scan that showed there were roughly 15,000 affected Ivanti appliances around the world exposed to the Internet. Beaumont said that hackers backed by a nation-state appeared to be behind the attacks on the Ivanti-sold device.

Map showing geographic location of ICS deployments, led by the US, Japan, Germany, France, and Canada.
Enlarge / Map showing geographic location of ICS deployments, led by the US, Japan, Germany, France, and Canada.
Shodan

Attention Bob the Builder: This is not a drill

“It’s really widely used in enterprise space and government, so I would suggest it’s one to get skates on and may need a bunch of compromise assessments at larger orgs,” he wrote, adding: “Most orgs don’t have the capability to detect suspected zero-day exploitation of a VPN and call in Mandiant IR… they probably have Bob The Builder as an MSP and a security budget of 4 twigs.”

CVE-2023-46805 is an authentication bypass in the ICS web component, which, when exploited, enables attackers to circumvent control checks and access restricted resources. CVE-2024-21887, meanwhile, is a command injection vulnerability that allows authenticated administrators to send specially crafted requests that execute commands of their choice on vulnerable appliances. They carry severity ratings of 8.2 and 9.1 out of a possible 10, respectively. When combined, unauthenticated attackers can run arbitrary commands on all supported versions of ICS and a second Ivanti product known as the Policy Secure Gateways.

After exploiting the vulnerabilities, the attackers tracked by Volexity went on to backdoor the infected network by installing a web shell interface on Internet-facing web servers. The attackers then took steps to hide the tracks from investigators. Company researchers wrote:

During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers. These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organization’s Internet-facing Ivanti Connect Secure (ICS) VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure). A closer inspection of the ICS VPN appliance showed that its logs had been wiped and logging had been disabled. Further review of historic network traffic from the device also revealed suspect outbound and inbound communication from its management IP address. Volexity found that there was suspect activity originating from the device as early as December 3, 2023.

Volexity went on to advise other ICS users to search their networks for the following indicators of compromise:

  • Outbound connections via curl to an IP Geolocation service via ip-api[.]com and to Cloudflare’s 1.1.1.1 IP address on multiple occasions
  • Reverse SOCKS proxy and SSH tunnel connections back through compromised Cyberoam appliances
  • Download of tooling from a compromised Cybroam appliance
  • Reconnaissance of internal websites through proxied connections
  • Lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH
  • Transfer of multiple webshell variants, which Volexity calls GLASSTOKEN, to Internet-accessible web servers and systems that were only internally accessible.

Organizations using either of the affected Ivanti products should prioritize following the mitigation guidance advised by Ivanti. It’s crucial to remember that patching is only the first step. All users should thoroughly analyze their networks for any signs of compromise using the indicators provided by Volexity since the attackers remove exploitation evidence from logs.

Post updated to correct designation of exploited MOVEit 0-day.

21