TL;DR:
– The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to federal agencies to implement mitigations against two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure products.
– The vulnerabilities, an authentication bypass and a code injection bug, have been actively exploited by multiple threat actors, allowing them to execute arbitrary commands on systems and gain full access to target information systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive urging federal agencies to take immediate action to protect against two zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The vulnerabilities, an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887), have been actively exploited by threat actors, allowing them to execute arbitrary commands on systems and gain full access to target information systems.
CISA’s emergency directive comes in response to a “sharp increase in threat actor activity” following the public disclosure of the vulnerabilities on January 11, 2024. The agency warns that successful exploitation of these vulnerabilities can lead to data exfiltration, lateral movement within networks, and the establishment of persistent system access.
Ivanti, the company behind the affected products, plans to release an update to address the flaws in the coming week. In the meantime, they have provided a temporary workaround in the form of an XML file that organizations can import into affected products to make necessary configuration changes.
To mitigate the risks posed by these vulnerabilities, CISA urges organizations to apply the mitigation provided by Ivanti. They also recommend running an External Integrity Checker Tool to identify signs of compromise and, if found, disconnecting affected devices from networks and resetting them.
In addition to the emergency directive, cybersecurity firms Volexity and Mandiant have observed attacks leveraging the zero-day vulnerabilities to deploy web shells and passive backdoors for persistent access to compromised devices. The initial wave of attacks, identified in December 2023, has been attributed to a Chinese nation-state group known as UTA0178. However, Mandiant is keeping track of the activity under the name UNC5221 to avoid linking it to any specific group or country.
Threat intelligence firm GreyNoise has also observed the vulnerabilities being exploited by bad actors to drop persistent backdoors and XMRig cryptocurrency miners, indicating opportunistic exploitation for financial gain.
It is important for organizations running ICS and IPS products to ensure they apply the necessary mitigations and closely monitor their systems for signs of compromise. The swift response by CISA underscores the severity of these vulnerabilities and the need for immediate action to protect critical systems and information.