Global alert issued over Ivanti vulnerability exploits by Five Eyes

Global alert issued over Ivanti vulnerability exploits by Five Eyes

In a recent development, cybersecurity agencies from around the world, including the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and partners from the UK, Canada, Australia, New Zealand, and MS-ISAC, have issued a global alert about active exploitation of critical vulnerabilities in Ivanti Connect Secure and Policy Secure.

Eric Goldstein, the assistant executive director for cybersecurity at CISA, stated that since the initial disclosure of these vulnerabilities, CISA and its partners have worked urgently to provide actionable guidance and assist impacted victims. The alert comes weeks after Ivanti released a security patch and related mitigation guidance.

Threat actors have been exploiting these vulnerabilities since early December, using living-off-the-land techniques and novel malware to establish persistence. They have been found to bypass the Ivanti Integrity Checker Tool in certain cases, making it unable to detect intrusions.

The current recommended mitigation strategies, as advised by the agencies, primarily focus on applying the latest patched versions provided by Ivanti. This includes upgrading Ivanti Connect Secure to version 22.7R2.8 or 22.8R2 (or later), and Ivanti Policy Secure to version 22.7R1.5 (or later). Additionally, updates to related products such as Ivanti ZTA Gateway, Neurons for Secure Access, and Virtual Application Delivery Controller should be applied as per the latest advisories.

These updates address multiple high-severity vulnerabilities, including buffer overflows, administrative bypass, SQL injection, and remote code execution vulnerabilities actively exploited by threat actors. The advisory specifically flags an authentication bypass vulnerability (CVE-2023-46805), a command injection vulnerability (CVE-2024-21887), and a server-side request forgery vulnerability (CVE-2024-21893).

Agencies strongly recommend conducting thorough hunting for malicious activity and indicators of compromise associated with these vulnerabilities. Network appliances should be closely monitored for suspicious behavior such as unexpected crashes, unauthorized access attempts, or use of malware tools like Cobalt Strike Beacon and RATs. Layered security controls, including network segmentation, restricting remote access, and enhancing endpoint detection and response capabilities, should be implemented to limit attacker movement if compromise occurs.

Geoff Mattson, CEO of Xage Security, stated that the finding speaks to inherent weaknesses in key security products, particularly VPNs, that are widely used across key industries. Mattson noted that Ivanti VPN has modules containing open source software executables that have not been updated in over 20 years, making them inherently vulnerable to attack.

Suspected state-linked espionage actors have exploited these vulnerabilities, bypassed authentication methods, gained persistent access, and engaged in malicious activities, including the installation of webshells. Mandiant has seen hackers attempt to mask their activity. Threat actors may be able to gain root-level persistence on devices, even after factory resets.

In summary, the foremost action is to immediately deploy the official patches released by Ivanti to remediate the vulnerabilities before more malicious exploitation occurs. This should be complemented by active monitoring and defense measures recommended by CISA and FBI. Consulting CISA’s Known Exploited Vulnerabilities catalog for updated guidance on managing these CVEs and maintaining proactive patch management and cybersecurity hygiene is also strongly advised.

1. The global alert issued by cybersecurity agencies highlights active exploitation of vulnerabilities in Ivanti Connect Secure and Policy Secure, which have been used by threat actors since early December.
2. Geoff Mattson, CEO of Xage Security, commented on the issue, stating that the findings revealed inherent weaknesses in key security products, particularly VPNs, which are widely used across various industries.
3. The advisory issued by the agencies recommends not only applying the latest patched versions provided by Ivanti but also implementing layered security controls, such as network segmentation, restricting remote access, and enhancing endpoint detection and response capabilities, to limit attacker movement if compromise occurs.

Read also: